chore: bundle all osh charts
diff --git a/charts/barbican/.helmignore b/charts/barbican/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/barbican/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/barbican/Chart.yaml b/charts/barbican/Chart.yaml
new file mode 100644
index 0000000..75af00f
--- /dev/null
+++ b/charts/barbican/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Barbican
+home: https://docs.openstack.org/barbican/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: barbican
+sources:
+- https://opendev.org/openstack/barbican
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.12
diff --git a/charts/barbican/charts/helm-toolkit/Chart.yaml b/charts/barbican/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..26244bd
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.42
diff --git a/charts/barbican/charts/helm-toolkit/requirements.yaml b/charts/barbican/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f fd ]]; then
+      rm -f fd
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/barbican/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_template.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/values.yaml b/charts/barbican/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/barbican/requirements.lock b/charts/barbican/requirements.lock
new file mode 100644
index 0000000..ba8d219
--- /dev/null
+++ b/charts/barbican/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.42
+digest: sha256:6525a5fedf1bf00b4d1b4d1cd20b0fba9808bf3b7e41cfd76abdfe7267bd4998
+generated: "2022-05-16T22:35:19.376340743Z"
diff --git a/charts/barbican/requirements.yaml b/charts/barbican/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/barbican/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/barbican/templates/bin/_barbican-test.sh.tpl b/charts/barbican/templates/bin/_barbican-test.sh.tpl
new file mode 100644
index 0000000..9f9fd97
--- /dev/null
+++ b/charts/barbican/templates/bin/_barbican-test.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+openstack secret list
+
+# Come up with a random payload
+PAYLOAD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
+echo $PAYLOAD
+
+SECRET=`openstack secret store --name mysecret --payload ${PAYLOAD} | awk ' /href/ {print $5}'`
+
+openstack secret list
+
+openstack secret get $SECRET
+
+openstack secret get --payload $SECRET
+
+openstack secret delete $SECRET
+
+openstack secret list
diff --git a/charts/barbican/templates/bin/_barbican.sh.tpl b/charts/barbican/templates/bin/_barbican.sh.tpl
new file mode 100644
index 0000000..1ac7911
--- /dev/null
+++ b/charts/barbican/templates/bin/_barbican.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec uwsgi --die-on-term --master --emperor /etc/barbican/vassals
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/barbican/templates/bin/_bootstrap.sh.tpl b/charts/barbican/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/barbican/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/barbican/templates/bin/_db-sync.sh.tpl b/charts/barbican/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..3fa5da5
--- /dev/null
+++ b/charts/barbican/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+barbican-db-manage upgrade
+
+{{- $kek := (index (index .Values.conf.barbican "simple_crypto_plugin" | default dict) "kek") | default "" }}
+{{- $old_kek := index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default ""}}
+{{- if and (not (empty $old_kek)) (not (empty $kek)) }}
+set +x
+echo "Ensuring that project KEKs are wrapped with the target global KEK"
+/tmp/simple_crypto_kek_rewrap.py --old-kek="$(cat /tmp/old_kek)"
+{{- end }}
diff --git a/charts/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl b/charts/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
new file mode 100644
index 0000000..7a52175
--- /dev/null
+++ b/charts/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
@@ -0,0 +1,158 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+import argparse
+import base64
+import sys
+
+from cryptography import fernet
+from oslo_db.sqlalchemy import session
+from sqlalchemy import orm
+from sqlalchemy.orm import scoping
+
+from barbican.common import utils
+from barbican.model import models
+from barbican.plugin.crypto import simple_crypto
+
+# Use config values from simple_crypto
+CONF = simple_crypto.CONF
+
+
+class KekRewrap(object):
+
+    def __init__(self, conf, old_kek):
+        self.dry_run = False
+        self.db_engine = session.create_engine(conf.sql_connection)
+        self._session_creator = scoping.scoped_session(
+            orm.sessionmaker(
+                bind=self.db_engine,
+                autocommit=True
+            )
+        )
+        self.crypto_plugin = simple_crypto.SimpleCryptoPlugin(conf)
+        self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
+        self.decryptor = fernet.Fernet(old_kek.encode('utf-8'))
+        self.encryptor = fernet.Fernet(self.crypto_plugin.master_kek)
+
+    def rewrap_kek(self, project, kek):
+        with self.db_session.begin():
+            plugin_meta = kek.plugin_meta
+
+            # try to unwrap with the target kek, and if successful, skip
+            try:
+                if self.encryptor.decrypt(plugin_meta.encode('utf-8')):
+                    print('Project KEK {} is already wrapped with target KEK, skipping'.format(kek.id))
+                    return
+            except fernet.InvalidToken:
+                pass
+
+            # decrypt with the old kek
+            print('Unwrapping Project KEK {}'.format(kek.id))
+            try:
+                decrypted_plugin_meta = self.decryptor.decrypt(plugin_meta.encode('utf-8'))
+            except fernet.InvalidToken:
+                print('Failed to unwrap Project KEK {}'.format(kek.id))
+                raise
+
+            # encrypt with the new kek
+            print('Rewrapping Project KEK {}'.format(kek.id))
+            try:
+                new_plugin_meta = self.encryptor.encrypt(decrypted_plugin_meta).decode('utf-8')
+            except fernet.InvalidToken:
+                print('Failed to wrap Project KEK {}'.format(kek.id))
+                raise
+
+            if self.dry_run:
+                return
+
+            # Update KEK metadata in DB
+            print('Storing updated Project KEK {}'.format(kek.id))
+            kek.plugin_meta = new_plugin_meta
+
+    def get_keks_for_project(self, project):
+        keks = []
+        with self.db_session.begin() as transaction:
+            print('Retrieving KEKs for Project {}'.format(project.external_id))
+            query = transaction.session.query(models.KEKDatum)
+            query = query.filter_by(project_id=project.id)
+            query = query.filter_by(plugin_name=self.plugin_name)
+
+            keks = query.all()
+
+        return keks
+
+    def get_projects(self):
+        print('Retrieving all available projects')
+
+        projects = []
+        with self.db_session.begin() as transaction:
+            projects = transaction.session.query(models.Project).all()
+
+        return projects
+
+    @property
+    def db_session(self):
+        return self._session_creator()
+
+    def execute(self, dry_run=True):
+        self.dry_run = dry_run
+        if self.dry_run:
+            print('-- Running in dry-run mode --')
+
+        projects = self.get_projects()
+        successes = []
+        failures = []
+
+        for project in projects:
+            keks = self.get_keks_for_project(project)
+            for kek in keks:
+                try:
+                    self.rewrap_kek(project, kek)
+                    successes.append(kek.id)
+                except Exception:
+                    failures.append(kek.id)
+
+        if successes:
+            print('Sucessfully processed the following KEKs:')
+            print('\n'.join(successes))
+
+        if failures:
+            print('Failed to rewrap the following KEKs:')
+            print('\n'.join(failures))
+            sys.exit(1)
+
+
+def main():
+    script_desc = 'Utility to re-wrap Project KEKs after rotating the global KEK.'
+
+    parser = argparse.ArgumentParser(description=script_desc)
+    parser.add_argument(
+        '--dry-run',
+        action='store_true',
+        help='Displays changes that will be made (Non-destructive)'
+    )
+    parser.add_argument(
+        '--old-kek',
+        default='dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=',
+        help='Old key encryption key previously used by Simple Crypto Plugin. '
+             '(32 bytes, base64-encoded)'
+    )
+    args = parser.parse_args()
+
+    rewrapper = KekRewrap(CONF, args.old_kek)
+    rewrapper.execute(args.dry_run)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/charts/barbican/templates/configmap-bin.yaml b/charts/barbican/templates/configmap-bin.yaml
new file mode 100644
index 0000000..0b86060
--- /dev/null
+++ b/charts/barbican/templates/configmap-bin.yaml
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: barbican-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  barbican-test.sh: |
+{{ tuple "bin/_barbican-test.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  barbican.sh: |
+{{ tuple "bin/_barbican.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+  simple_crypto_kek_rewrap.py: |
+{{ tuple "bin/_simple_crypto_kek_rewrap.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/barbican/templates/configmap-etc.yaml b/charts/barbican/templates/configmap-etc.yaml
new file mode 100644
index 0000000..c8e08cb
--- /dev/null
+++ b/charts/barbican/templates/configmap-etc.yaml
@@ -0,0 +1,104 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "region_name" .Values.endpoints.identity.auth.barbican.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "project_name" .Values.endpoints.identity.auth.barbican.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.barbican.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.barbican.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "username" .Values.endpoints.identity.auth.barbican.username -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "password" .Values.endpoints.identity.auth.barbican.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.barbican.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.DEFAULT.sql_connection -}}
+{{- $connection := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.barbican.DEFAULT "sql_connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.barbican.DEFAULT "sql_connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "barbican" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.barbican.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- $barbicanPath := index .Values "endpoints" "key_manager" "path" "default" }}
+{{- if empty .Values.conf.barbican.DEFAULT.host_href -}}
+{{- $_ := tuple "key_manager" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix $barbicanPath | set .Values.conf.barbican.DEFAULT "host_href" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.barbican_api.bind_port -}}
+{{- $_ := tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.barbican.barbican_api "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican_api.uwsgi.socket -}}
+{{- $_ := printf ":%s" ( tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" ) | set .Values.conf.barbican_api.uwsgi "socket" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: barbican-etc
+type: Opaque
+data:
+  barbican.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.barbican | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  barbican-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.audit_map | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+  barbican-api.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api | b64enc }}
+  old_kek: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
+{{- end }}
diff --git a/charts/barbican/templates/deployment-api.yaml b/charts/barbican/templates/deployment-api.yaml
new file mode 100644
index 0000000..9033971
--- /dev/null
+++ b/charts/barbican/templates/deployment-api.yaml
@@ -0,0 +1,131 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_barbican_api := .Values.pod.mounts.barbican_api.barbican_api }}
+{{- $mounts_barbican_api_init := .Values.pod.mounts.barbican_api.init_container }}
+
+{{- $serviceAccountName := "barbican-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: barbican-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "barbican-api" "containerNames" (list "init" "barbican-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "barbican" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.barbican.enabled }}
+{{ tuple $envAll "barbican" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_barbican_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: barbican-api
+{{ tuple $envAll "barbican_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "barbican" "container" "barbican_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/barbican.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/barbican.sh
+                  - stop
+          ports:
+            - name: b-api
+              containerPort: {{ tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcbarbican
+              mountPath: /etc/barbican
+            - name: barbican-etc
+              mountPath: /etc/barbican/vassals/barbican-api.ini
+              subPath: barbican-api.ini
+              readOnly: true
+            - name: barbican-etc
+              mountPath: /etc/barbican/barbican.conf
+              subPath: barbican.conf
+              readOnly: true
+            {{- if .Values.conf.barbican.DEFAULT.log_config_append }}
+            - name: barbican-etc
+              mountPath: {{ .Values.conf.barbican.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.barbican.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: barbican-etc
+              mountPath: /etc/barbican/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            - name: barbican-etc
+              mountPath: /etc/barbican/barbican-api-paste.ini
+              subPath: barbican-api-paste.ini
+              readOnly: true
+            - name: barbican-etc
+              mountPath: /etc/barbican/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: barbican-bin
+              mountPath: /tmp/barbican.sh
+              subPath: barbican.sh
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: etcbarbican
+          emptyDir: {}
+        - name: barbican-etc
+          secret:
+            secretName: barbican-etc
+            defaultMode: 0444
+        - name: barbican-bin
+          configMap:
+            name: barbican-bin
+            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/barbican/templates/ingress-api.yaml b/charts/barbican/templates/ingress-api.yaml
new file mode 100644
index 0000000..6105887
--- /dev/null
+++ b/charts/barbican/templates/ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "key_manager" "backendPort" "b-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-bootstrap.yaml b/charts/barbican/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..ced8bc3
--- /dev/null
+++ b/charts/barbican/templates/job-bootstrap.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "barbican" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.barbican.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-db-drop.yaml b/charts/barbican/templates/job-db-drop.yaml
new file mode 100644
index 0000000..b6f0a6f
--- /dev/null
+++ b/charts/barbican/templates/job-db-drop.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "barbican" -}}
+{{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-db-init.yaml b/charts/barbican/templates/job-db-init.yaml
new file mode 100644
index 0000000..afe16dc
--- /dev/null
+++ b/charts/barbican/templates/job-db-init.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "barbican" -}}
+{{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" -}}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-db-sync.yaml b/charts/barbican/templates/job-db-sync.yaml
new file mode 100644
index 0000000..587be68
--- /dev/null
+++ b/charts/barbican/templates/job-db-sync.yaml
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+{{- end }}
+
+{{- $podVolMounts := .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumeMounts | default list }}
+{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-sh" "mountPath" "/tmp/simple_crypto_kek_rewrap.py" "subPath" "simple_crypto_kek_rewrap.py" "readOnly" true) }}
+{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-conf" "mountPath" "/tmp/old_kek" "subPath" "old_kek" "readOnly" true) }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "barbican" "podVolMounts" $podVolMounts "podVols" .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-image-repo-sync.yaml b/charts/barbican/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..5faccb1
--- /dev/null
+++ b/charts/barbican/templates/job-image-repo-sync.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-ks-endpoints.yaml b/charts/barbican/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..023f58e
--- /dev/null
+++ b/charts/barbican/templates/job-ks-endpoints.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "barbican" "serviceTypes" ( tuple "key-manager" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-ks-service.yaml b/charts/barbican/templates/job-ks-service.yaml
new file mode 100644
index 0000000..c0e0683
--- /dev/null
+++ b/charts/barbican/templates/job-ks-service.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "barbican" "serviceTypes" ( tuple "key-manager" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-ks-user.yaml b/charts/barbican/templates/job-ks-user.yaml
new file mode 100644
index 0000000..e16e033
--- /dev/null
+++ b/charts/barbican/templates/job-ks-user.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-rabbit-init.yaml b/charts/barbican/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..75bb5fc
--- /dev/null
+++ b/charts/barbican/templates/job-rabbit-init.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/barbican/templates/network_policy.yaml b/charts/barbican/templates/network_policy.yaml
new file mode 100644
index 0000000..1c50699
--- /dev/null
+++ b/charts/barbican/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "barbican" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/barbican/templates/pdb-api.yaml b/charts/barbican/templates/pdb-api.yaml
new file mode 100644
index 0000000..e155d76
--- /dev/null
+++ b/charts/barbican/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: barbican-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/barbican/templates/pod-test.yaml b/charts/barbican/templates/pod-test.yaml
new file mode 100644
index 0000000..f414356
--- /dev/null
+++ b/charts/barbican/templates/pod-test.yaml
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_test }}
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.static.tests }}
+
+{{- $mounts_barbican_tests := .Values.pod.mounts.barbican_tests.barbican_tests }}
+{{- $mounts_barbican_tests_init := .Values.pod.mounts.barbican_tests.init_container }}
+
+{{- $serviceAccountName := print .Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{.Release.Name}}-test"
+  labels:
+{{ tuple $envAll "barbican" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+  serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.barbican.enabled }}
+{{ tuple $envAll "barbican" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+  restartPolicy: Never
+  initContainers:
+{{ tuple $envAll "tests" $mounts_barbican_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+  containers:
+    - name: barbican-test
+{{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "barbican_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+      command:
+        - /tmp/barbican-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: barbican-bin
+          mountPath: /tmp/barbican-test.sh
+          subPath: barbican-test.sh
+          readOnly: true
+{{ if $mounts_barbican_tests.volumeMounts }}{{ toYaml $mounts_barbican_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: barbican-bin
+      configMap:
+        name: barbican-bin
+        defaultMode: 0555
+{{ if $mounts_barbican_tests.volumes }}{{ toYaml $mounts_barbican_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-db.yaml b/charts/barbican/templates/secret-db.yaml
new file mode 100644
index 0000000..a2ac53b
--- /dev/null
+++ b/charts/barbican/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "barbican" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-ingress-tls.yaml b/charts/barbican/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..ff4678a
--- /dev/null
+++ b/charts/barbican/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key_manager" ) }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-keystone.yaml b/charts/barbican/templates/secret-keystone.yaml
new file mode 100644
index 0000000..845b476
--- /dev/null
+++ b/charts/barbican/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "barbican" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-rabbitmq.yaml b/charts/barbican/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..b66c828
--- /dev/null
+++ b/charts/barbican/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "barbican" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/templates/service-api.yaml b/charts/barbican/templates/service-api.yaml
new file mode 100644
index 0000000..0f63ee3
--- /dev/null
+++ b/charts/barbican/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "key-manager" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: b-api
+    port: {{ tuple "key-manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+    nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.api.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/barbican/templates/service-ingress-api.yaml b/charts/barbican/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..c4a9d87
--- /dev/null
+++ b/charts/barbican/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/barbican/values.yaml b/charts/barbican/values.yaml
new file mode 100644
index 0000000..5bd154e
--- /dev/null
+++ b/charts/barbican/values.yaml
@@ -0,0 +1,681 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for barbican.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+release_group: null
+
+# NOTE(philsphicas): the pre-install hook breaks upgrade for helm2
+# Set to false to upgrade using helm2
+helm3_hook: true
+
+images:
+  tags:
+    bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    scripted_test: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    barbican_db_sync: docker.io/openstackhelm/barbican:ussuri-ubuntu_bionic
+    db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    barbican_api: docker.io/openstackhelm/barbican:ussuri-ubuntu_bionic
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+pod:
+  security_context:
+    barbican:
+      pod:
+        runAsUser: 42424
+      container:
+        barbican_api:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    test:
+      pod:
+        runAsUser: 42424
+      container:
+        barbican_test:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  tolerations:
+    barbican:
+      enabled: false
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+          effect: NoSchedule
+  mounts:
+    barbican_api:
+      init_container: null
+      barbican_api:
+        volumeMounts:
+        volumes:
+    barbican_bootstrap:
+      init_container: null
+      barbican_bootstrap:
+        volumeMounts:
+        volumes:
+    barbican_tests:
+      init_container: null
+      barbican_tests:
+        volumeMounts:
+        volumes:
+    barbican_db_sync:
+      barbican_db_sync:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30486
+
+network_policy:
+  barbican:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+bootstrap:
+  enabled: false
+  ks_user: barbican
+  script: |
+    openstack token issue
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - barbican-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs:
+        - barbican-db-sync
+        - barbican-ks-user
+        - barbican-ks-endpoints
+        - barbican-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - barbican-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+    ks_endpoints:
+      jobs:
+        - barbican-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+
+conf:
+  paste:
+    composite:main:
+      use: egg:Paste#urlmap
+      /: barbican_version
+      /v1: barbican-api-keystone
+    pipeline:barbican_version:
+      pipeline: cors http_proxy_to_wsgi versionapp
+    pipeline:barbican_api:
+      pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp
+    pipeline:barbican-profile:
+      pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
+    pipeline:barbican-api-keystone:
+      pipeline: cors http_proxy_to_wsgi authtoken context apiapp
+    pipeline:barbican-api-keystone-audit:
+      pipeline: http_proxy_to_wsgi authtoken context audit apiapp
+    app:apiapp:
+      paste.app_factory: barbican.api.app:create_main_app
+    app:versionapp:
+      paste.app_factory: barbican.api.app:create_version_app
+    filter:simple:
+      paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory
+    filter:unauthenticated-context:
+      paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
+    filter:context:
+      paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/barbican/api_audit_map.conf
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:profile:
+      use: egg:repoze.profile
+      log_filename: myapp.profile
+      cachegrind_filename: cachegrind.out.myapp
+      discard_first_request: true
+      path: /__profile__
+      flush_at_shutdown: true
+      unwind: false
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: barbican
+    filter:http_proxy_to_wsgi:
+      paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+  policy: {}
+  audit_map:
+    DEFAULT:
+      # default target endpoint type
+      # should match the endpoint type defined in service catalog
+      target_endpoint_type: key-manager
+    custom_actions:
+      # map urls ending with specific text to a unique action
+      # Don't need custom mapping for other resource operations
+      # Note: action should match action names defined in CADF taxonomy
+      acl/get: read
+    path_keywords:
+      # path of api requests for CADF target typeURI
+      # Just need to include top resource path to identify class of resources
+      secrets: null
+      containers: null
+      orders: null
+      cas: "None"
+      quotas: null
+      project-quotas: null
+    service_endpoints:
+      # map endpoint type defined in service catalog to CADF typeURI
+      key-manager: service/security/keymanager
+  barbican_api:
+    uwsgi:
+      socket: null
+      protocol: http
+      processes: 1
+      lazy: true
+      vacuum: true
+      no-default-app: true
+      memory-report: true
+      plugins: python
+      paste: "config:/etc/barbican/barbican-api-paste.ini"
+      add-header: "Connection: close"
+  barbican:
+    DEFAULT:
+      transport_url: null
+      log_config_append: /etc/barbican/logging.conf
+    keystone_authtoken:
+      auth_type: password
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+      memcache_secret_key: null
+    database:
+      max_retries: -1
+    barbican_api:
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      bind_port: null
+    oslo_policy:
+      policy_file: /etc/barbican/policy.yaml
+    # When using the simple_crypto_plugin, a kek must be provided as:
+    #   .conf.barbican.simple_crypto_plugin.kek
+    # If no kek is provided, barbican will use a well-known default.
+    # If upgrading the chart with a new kek, the old kek must be provided as:
+    #   .conf.simple_crypto_plugin_rewrap.old_kek
+    # Please refer to the .conf.simple_crypto_key_rewrap section below.
+    # The barbican defaults are included here as a reference:
+    #   secretstore:
+    #     enabled_secretstore_plugins:
+    #       - store_crypto
+    #   crypto:
+    #     enabled_crypto_plugins:
+    #       - simple_crypto
+    #   simple_crypto_plugin:
+    #     # The kek should be a 32-byte value which is base64 encoded.
+    #     kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+  # KEK rotation for the simple_crypto plugin
+  simple_crypto_kek_rewrap:
+
+    # To allow for chart upgrades when modifying the Key Encryption Key, the
+    # db-sync job can rewrap the existing project keys with the new kek, leaving
+    # each secret’s encrypted data unchanged.
+
+    # This feature is enabled automatically, if a kek is specified at:
+    #   .conf.barbican.simple_crypto_plugin.kek
+    # and the previous kek is also specified at:
+    #   .conf.simple_crypto_kek_rewrap.old_kek
+
+    # The project keys are decrypted with 'old_kek' and re-encrypted with the
+    # target kek (as defined in barbican.conf).
+    # This resembles the lightweight rotation described here, which was never
+    # implemented for the simple crypto plugin:
+    # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html
+
+    # The KEK value "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" matches the
+    # plugin default, and is retained here for convenience, in case the chart was
+    # previously installed without explicitly specifying a kek.
+    old_kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+  logging:
+    loggers:
+      keys:
+        - root
+        - barbican
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_barbican:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: barbican
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: barbican-keystone-admin
+    barbican: barbican-keystone-user
+  oslo_db:
+    admin: barbican-db-admin
+    barbican: barbican-db-user
+  oslo_messaging:
+    admin: barbican-rabbitmq-admin
+    barbican: barbican-rabbitmq-user
+  tls:
+    key_manager:
+      api:
+        public: barbican-tls-public
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      barbican:
+        role: admin
+        region_name: RegionOne
+        username: barbican
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  key_manager:
+    name: barbican
+    hosts:
+      default: barbican-api
+      public: barbican
+    host_fqdn_override:
+      default: null
+    path:
+      default: /
+    scheme:
+      default: http
+    port:
+      api:
+        default: 9311
+        public: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      barbican:
+        username: barbican
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /barbican
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+      barbican:
+        username: barbican
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /barbican
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  deployment_api: true
+  ingress_api: true
+  job_bootstrap: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_rabbit_init: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  pdb_api: true
+  pod_test: true
+  secret_db: true
+  network_policy: false
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  service_ingress_api: true
+  service_api: true
+...
diff --git a/charts/ceph-provisioners/Chart.yaml b/charts/ceph-provisioners/Chart.yaml
new file mode 100644
index 0000000..057dec8
--- /dev/null
+++ b/charts/ceph-provisioners/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Ceph Provisioner
+home: https://github.com/ceph/ceph
+name: ceph-provisioners
+version: 0.1.8
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/Chart.yaml b/charts/ceph-provisioners/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..f762292
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.17
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/requirements.lock b/charts/ceph-provisioners/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..df843bb
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2021-07-27T15:44:21.585311483Z"
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/requirements.yaml b/charts/ceph-provisioners/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..241e8b1
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,160 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  keySize: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        keySize: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+
+  - values: |
+      cert_manager_version: v0.15.0
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  keySize: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1alpha3
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        keySize: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default keySize to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "keySize") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "keySize" -}}
+{{- end -}}
+{{/* Default keySize to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+{{- $cert_manager_version := "v1.0.0" -}}
+{{- if $envAll.Values.cert_manager_version -}}
+{{- $cert_manager_version = $envAll.Values.cert_manager_version -}}
+{{- end -}}
+---
+{{- if semverCompare "< v1.0.0"  $cert_manager_version }}
+apiVersion: cert-manager.io/v1alpha3
+{{- else }}
+apiVersion: cert-manager.io/v1
+{{- end }}
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..2d62a17
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,657 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: barbican-api
+                    servicePort: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: grafana-dashboard
+                    servicePort: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: grafana-dashboard
+                    servicePort: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: grafana-dashboard
+                    servicePort: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: grafana-dashboard
+                    servicePort: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: grafana-dashboard
+                    servicePort: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1beta1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: grafana-dashboard
+                    servicePort: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  backend:
+                    serviceName: grafana-dashboard
+                    servicePort: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        backend:
+          serviceName: {{ $backendName }}
+          servicePort: {{ $backendPort }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..6bd0898
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,131 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..cfd64ff
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,160 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..4463397
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..979211d
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,127 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..6df37b6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,120 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..ca9f6c3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,114 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..42f2370
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,120 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: {{ $restartPolicy }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..5574032
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..bea6876
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..36af63f
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,149 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..2e67006
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,109 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..93cea25
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,66 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..7c62bc4
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,397 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#       The following variables are optional:
+#         export RGW_TIMEOUT           Number of seconds to wait for the
+#                                      connection to the RGW to be available
+#                                      when sending a backup to the RGW. Default
+#                                      is 1800 (30 minutes).
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+set -x
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=$2
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log ERROR "${DB_NAME}_backup" "Error creating container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 1
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log ERROR "${DB_NAME}_backup" "Error retrieving container ${CONTAINER_NAME} details after creation."
+        return 1
+      fi
+    fi
+  else
+    echo $RESULT | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable"
+      if [[ $? -eq 0 ]]; then
+        log ERROR "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE || log ERROR "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log ERROR "${DB_NAME}_backup" "Error retrieving container object $FILE after creation."
+    return 1
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  # If the RGW_TIMEOUT has already been set, use that value, otherwise give it
+  # a default value.
+  if [[ -z $RGW_TIMEOUT ]]; then
+    RGW_TIMEOUT=1800
+  fi
+
+  ERROR_SEEN=false
+  DONE=false
+  TIMEOUT_EXP=$(( $(date +%s) + $RGW_TIMEOUT ))
+  while [[ $DONE == "false" ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+
+    # Check if successful
+    if [[ $? -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      DONE=true
+    elif [[ $? -eq 2 ]]; then
+      # Temporary failure occurred. We need to retry if we have not timed out
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      DELTA=$(( TIMEOUT_EXP - $(date +%s) ))
+      if [[ $DELTA -lt 0 ]]; then
+        DONE=true
+        log ERROR "${DB_NAME}_backup" "Timed out waiting for RGW to become available."
+        ERROR_SEEN=true
+      else
+        log INFO "${DB_NAME}_backup" "Sleeping 30 seconds waiting for RGW to become available..."
+        sleep 30
+        log INFO "${DB_NAME}_backup" "Retrying..."
+      fi
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW."
+      ERROR_SEEN=true
+      DONE=true
+    fi
+  done
+
+  if [[ $ERROR_SEEN == "true" ]]; then
+    log ERROR "${DB_NAME}_backup" "Errors encountered. Exiting."
+    return 1
+  fi
+  return 0
+}
+
+remove_old_local_archives() {
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    for ARCHIVE_FILE in $(ls -1 $ARCHIVE_DIR/*.gz); do
+      ARCHIVE_DATE=$( echo $ARCHIVE_FILE | awk -F/ '{print $NF}' | cut -d'.' -f 4)
+      if [[ "$(seconds_difference $ARCHIVE_DATE)" -gt "$(($LOCAL_DAYS_TO_KEEP*86400))" ]]; then
+        log INFO "${DB_NAME}_backup" "Deleting file $ARCHIVE_FILE."
+        rm -rf $ARCHIVE_FILE
+        if [[ $? -ne 0 ]]; then
+          # Log error but don't exit so we can finish the script
+          # because at this point we haven't sent backup to RGW yet
+          log ERROR "${DB_NAME}_backup" "Cannot remove ${ARCHIVE_FILE}"
+        fi
+      else
+        log INFO "${DB_NAME}_backup" "Keeping file ${ARCHIVE_FILE}."
+      fi
+    done
+  fi
+}
+
+remove_old_remote_archives() {
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days"
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit "Could not obtain a list of current backup files in the RGW" 1
+  fi
+
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+
+  for ARCHIVE_FILE in $(cat $DB_BACKUP_FILES); do
+    ARCHIVE_DATE=$( echo $ARCHIVE_FILE | awk -F/ '{print $NF}' | cut -d'.' -f 4)
+    if [[ "$(seconds_difference ${ARCHIVE_DATE})" -gt "$((${REMOTE_DAYS_TO_KEEP}*86400))" ]]; then
+      log INFO "${DB_NAME}_backup" "Deleting file ${ARCHIVE_FILE} from the RGW"
+      openstack object delete $CONTAINER_NAME $ARCHIVE_FILE || log_backup_error_exit "Cannot delete container object ${ARCHIVE_FILE}!" 1
+    fi
+  done
+
+  # Cleanup now that we're done.
+  rm -f $BACKUP_FILES $DB_BACKUP_FILES
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit "Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit "Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit "Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit "Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit "Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    remove_old_local_archives
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      set +x
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      set -x
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      remove_old_remote_archives
+    fi
+
+    # Turn off trace just for a clearer printout of backup status - for manual backups, mainly.
+    set +x
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+    set -x
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    # Turn off trace just for a clearer printout of backup status - for manual backups, mainly.
+    set +x
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+    set -x
+  fi
+}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f 8
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..0324e68
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..baa7073
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,66 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..a8f1c49
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_template.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/values.yaml b/charts/ceph-provisioners/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/ceph-provisioners/requirements.lock b/charts/ceph-provisioners/requirements.lock
new file mode 100644
index 0000000..3b09b9a
--- /dev/null
+++ b/charts/ceph-provisioners/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: https://tarballs.opendev.org/openstack/openstack-helm-infra
+  version: '>= 0.1.0'
+digest: sha256:9a14200f65f9e9d7f811f6b763242eea2a0ff5f36199412abc2c58f273b95899
+generated: "2021-07-28T15:09:21.187908283Z"
diff --git a/charts/ceph-provisioners/requirements.yaml b/charts/ceph-provisioners/requirements.yaml
new file mode 100644
index 0000000..4333ba9
--- /dev/null
+++ b/charts/ceph-provisioners/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+  - name: helm-toolkit
+    repository: https://tarballs.opendev.org/openstack/openstack-helm-infra
+    version: ">= 0.1.0"
+...
diff --git a/charts/ceph-provisioners/templates/bin/_bootstrap.sh.tpl b/charts/ceph-provisioners/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/ceph-provisioners/templates/bin/_helm-tests.sh.tpl b/charts/ceph-provisioners/templates/bin/_helm-tests.sh.tpl
new file mode 100644
index 0000000..b22916d
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/_helm-tests.sh.tpl
@@ -0,0 +1,205 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+function reset_test_env()
+{
+  pvc_namespace=$1
+  pod_name=$2
+  pvc_name=$3
+  echo "--> Resetting POD and PVC before/after test"
+  if kubectl get pod -n $pvc_namespace $pod_name; then
+    kubectl delete pod -n $pvc_namespace $pod_name
+  fi
+
+  if kubectl get cm -n $pvc_namespace ${pod_name}-bin; then
+    kubectl delete cm -n $pvc_namespace ${pod_name}-bin
+  fi
+
+  if kubectl get pvc -n $pvc_namespace $pvc_name; then
+    kubectl delete pvc -n $pvc_namespace $pvc_name;
+  fi
+}
+
+
+function storageclass_validation()
+{
+  pvc_namespace=$1
+  pod_name=$2
+  pvc_name=$3
+  storageclass=$4
+
+  echo "--> Starting validation"
+
+  # storageclass check
+  if ! kubectl get storageclass $storageclass; then
+    echo "Storageclass: $storageclass is not provisioned."
+    exit 1
+  fi
+
+  tee <<EOF | kubectl apply -n $pvc_namespace -f -
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: $pvc_name
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: $storageclass
+  resources:
+    requests:
+      storage: 3Gi
+EOF
+
+  # waiting for pvc to get create
+  end=$(($(date +%s) + TEST_POD_WAIT_TIMEOUT))
+  while ! kubectl get pvc -n $pvc_namespace $pvc_name | grep Bound; do
+    if [ "$(date +%s)" -gt "${end}" ]; then
+      kubectl get pvc -n $pvc_namespace $pvc_name
+      kubectl get pv
+      echo "Storageclass is available but can't create PersistentVolumeClaim."
+      exit 1
+    fi
+    sleep 10
+  done
+
+  tee <<EOF | kubectl apply --namespace $pvc_namespace -f -
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: ${pod_name}-bin
+data:
+  test.sh: |
+    #!/bin/bash
+
+    tmpdir=\$(mktemp -d)
+    declare -a files_list
+    total_files=10
+
+    function check_result ()
+    {
+      red='\033[0;31m'
+      green='\033[0;32m'
+      bw='\033[0m'
+      if [ "\$1" -ne 0 ]; then
+        echo -e "\${red}\$2\${bw}"
+        exit 1
+      else
+        echo -e "\${green}\$3\${bw}"
+      fi
+    }
+
+    echo "Preparing \${total_objects} files for test"
+    for i in \$(seq \$total_files); do
+      files_list[\$i]="\$(mktemp -p "$tmpdir" -t XXXXXXXX)"
+      echo "Creating \${files_list[\$i]} file"
+      dd if=/dev/urandom of="\${files_list[\$i]}" bs=1M count=8
+
+      echo "Writing to /mnt/\${files_list[\$i]##*/}"
+      cp "\${files_list[\$i]}" "/mnt/\${files_list[\$i]##*/}"
+      check_result \$? "The action failed" "The action succeeded"
+    done
+
+    for i in \$(seq \$total_files); do
+      echo "Comparing files: \${files_list[\$i]} and /mnt/\${files_list[\$i]##*/}"
+      cmp "\${files_list[\$i]}" "/mnt/\${files_list[\$i]##*/}"
+      check_result \$? "The files are not equal" "The files are equal"
+    done
+
+    touch /mnt/SUCCESS && exit 0 || exit 1
+
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: $pod_name
+spec:
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  containers:
+  - name: task-pv-storage
+    image: {{ .Values.images.tags.ceph_config_helper }}
+    command:
+    - /tmp/test.sh
+    volumeMounts:
+    - name: ceph-cm-test
+      mountPath: /tmp/test.sh
+      subPath: test.sh
+      readOnly: true
+    - name: pvc
+      mountPath: "/mnt"
+      readOnly: false
+  restartPolicy: "Never"
+  volumes:
+  - name: ceph-cm-test
+    configMap:
+      name: ${pod_name}-bin
+      defaultMode: 0555
+  - name: pvc
+    persistentVolumeClaim:
+      claimName: $pvc_name
+...
+EOF
+
+  # waiting for pod to get completed
+  end=$(($(date +%s) + TEST_POD_WAIT_TIMEOUT))
+  while ! kubectl get pods -n $pvc_namespace $pod_name | grep -i Completed; do
+    if [ "$(date +%s)" -gt "${end}" ]; then
+      kubectl get pods -n $pvc_namespace $pod_name
+      kubectl logs -n $pvc_namespace $pod_name
+      echo "Cannot create POD with rbd storage class $storageclass based PersistentVolumeClaim."
+      exit 1
+    fi
+    sleep 10
+  done
+
+  kubectl logs -n $pvc_namespace $pod_name
+}
+
+
+reset_test_env $PVC_NAMESPACE $RBD_TEST_POD_NAME $RBD_TEST_PVC_NAME
+reset_test_env $PVC_NAMESPACE $CSI_RBD_TEST_POD_NAME $CSI_RBD_TEST_PVC_NAME
+reset_test_env $PVC_NAMESPACE $CEPHFS_TEST_POD_NAME $CEPHFS_TEST_PVC_NAME
+
+{{- range $storageclass, $val := .Values.storageclass }}
+if [ {{ $val.provisioner }} == "ceph.com/rbd" ] && [ {{ $val.provision_storage_class }} == true ];
+then
+  echo "--> Checking RBD storage class."
+  storageclass={{ $val.metadata.name }}
+
+  storageclass_validation $PVC_NAMESPACE $RBD_TEST_POD_NAME $RBD_TEST_PVC_NAME $storageclass
+  reset_test_env $PVC_NAMESPACE $RBD_TEST_POD_NAME $RBD_TEST_PVC_NAME
+fi
+
+if [ {{ $val.provisioner }} == "ceph.rbd.csi.ceph.com" ] && [ {{ $val.provision_storage_class }} == true ];
+then
+  echo "--> Checking CSI RBD storage class."
+  storageclass={{ $val.metadata.name }}
+  storageclass_validation $PVC_NAMESPACE $CSI_RBD_TEST_POD_NAME $CSI_RBD_TEST_PVC_NAME $storageclass
+  reset_test_env $PVC_NAMESPACE $CSI_RBD_TEST_POD_NAME $CSI_RBD_TEST_PVC_NAME
+fi
+
+if [ {{ $val.provisioner }} == "ceph.com/cephfs" ] && [ {{ $val.provision_storage_class }} == true ];
+then
+  echo "--> Checking cephfs storage class."
+  storageclass={{ $val.metadata.name }}
+  storageclass_validation $PVC_NAMESPACE $CEPHFS_TEST_POD_NAME $CEPHFS_TEST_PVC_NAME $storageclass
+  reset_test_env $PVC_NAMESPACE $CEPHFS_TEST_POD_NAME $CEPHFS_TEST_PVC_NAME
+fi
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_client-key-manager.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_client-key-manager.sh.tpl
new file mode 100644
index 0000000..421e6f6
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_client-key-manager.sh.tpl
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- $envAll := . }}
+
+CEPH_CEPHFS_KEY=$(kubectl get secret ${PVC_CEPH_CEPHFS_STORAGECLASS_ADMIN_SECRET_NAME} \
+    --namespace=${PVC_CEPH_CEPHFS_STORAGECLASS_DEPLOYED_NAMESPACE} \
+    -o json )
+
+ceph_activate_namespace() {
+  kube_namespace=$1
+  secret_type=$2
+  secret_name=$3
+  ceph_key=$4
+  {
+  cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${secret_name}"
+  labels:
+{{ tuple $envAll "ceph" "cephfs" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+type: "${secret_type}"
+data:
+  key: $( echo ${ceph_key} )
+EOF
+  } | kubectl apply --namespace ${kube_namespace} -f -
+}
+
+if ! kubectl get --namespace ${DEPLOYMENT_NAMESPACE} secrets ${PVC_CEPH_CEPHFS_STORAGECLASS_USER_SECRET_NAME}; then
+  ceph_activate_namespace \
+    ${DEPLOYMENT_NAMESPACE} \
+    "kubernetes.io/cephfs" \
+    ${PVC_CEPH_CEPHFS_STORAGECLASS_USER_SECRET_NAME} \
+    "$(echo ${CEPH_CEPHFS_KEY} | jq -r '.data.key')"
+fi
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_start.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_start.sh.tpl
new file mode 100644
index 0000000..9691aa9
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_start.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec /usr/local/bin/cephfs-provisioner -id "${POD_NAME}"
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl
new file mode 100644
index 0000000..5051a3f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- $envAll := . }}
+
+
+ENDPOINT=$(kubectl get endpoints ceph-mon-discovery -n ${PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE} -o json | awk -F'"' -v port=${MON_PORT} \
+           -v version=v1 -v msgr_version=v2 \
+           -v msgr2_port=${MON_PORT_V2} \
+           '/"ip"/{print "["version":"$4":"port"/"0","msgr_version":"$4":"msgr2_port"/"0"]"}' | paste -sd',')
+
+echo $ENDPOINT
+
+kubectl get cm ${CEPH_CONF_ETC} -n  ${DEPLOYMENT_NAMESPACE}  -o yaml | \
+  sed "s#mon_host.*#mon_host = ${ENDPOINT}#g" | \
+  kubectl apply -f -
+
+kubectl get cm ${CEPH_CONF_ETC} -n  ${DEPLOYMENT_NAMESPACE}  -o yaml
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl
new file mode 100644
index 0000000..5f482a2
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+kubectl delete secret \
+  --namespace ${DEPLOYMENT_NAMESPACE} \
+  --ignore-not-found=true \
+  ${PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME}
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl
new file mode 100644
index 0000000..e6a8abe
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- $envAll := . }}
+
+CEPH_RBD_KEY=$(kubectl get secret ${PVC_CEPH_RBD_STORAGECLASS_ADMIN_SECRET_NAME} \
+    --namespace=${PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE} \
+    -o json )
+
+ceph_activate_namespace() {
+  kube_namespace=$1
+  secret_type=$2
+  secret_name=$3
+  ceph_key=$4
+  {
+  cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${secret_name}"
+  labels:
+{{ tuple $envAll "ceph" "rbd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+type: "${secret_type}"
+data:
+  key: $( echo ${ceph_key} )
+EOF
+  } | kubectl apply --namespace ${kube_namespace} -f -
+}
+
+ceph_activate_namespace ${DEPLOYMENT_NAMESPACE} "kubernetes.io/rbd" ${PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME} "$(echo ${CEPH_RBD_KEY} | jq -r '.data.key')"
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_start.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_start.sh.tpl
new file mode 100644
index 0000000..aadbecd
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_start.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec /usr/local/bin/rbd-provisioner -id "${POD_NAME}"
diff --git a/charts/ceph-provisioners/templates/configmap-bin-provisioner.yaml b/charts/ceph-provisioners/templates/configmap-bin-provisioner.yaml
new file mode 100644
index 0000000..b78f393
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-bin-provisioner.yaml
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.configmap_bin .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+data:
+  provisioner-rbd-namespace-client-ceph-config-manager.sh: |
+{{ tuple "bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  provisioner-rbd-namespace-client-key-manager.sh: |
+{{ tuple "bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  provisioner-rbd-namespace-client-key-cleaner.sh: |
+{{ tuple "bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  helm-tests.sh: |
+{{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/configmap-bin.yaml b/charts/ceph-provisioners/templates/configmap-bin.yaml
new file mode 100644
index 0000000..46adf15
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-bin.yaml
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.configmap_bin_common .Values.deployment.ceph }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+
+  provisioner-cephfs-start.sh: |
+{{ tuple "bin/provisioner/cephfs/_start.sh.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+  provisioner-cephfs-client-key-manager.sh: |
+{{ tuple "bin/provisioner/cephfs/_client-key-manager.sh.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+
+  provisioner-rbd-start.sh: |
+{{ tuple "bin/provisioner/rbd/_start.sh.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/configmap-etc-client.yaml b/charts/ceph-provisioners/templates/configmap-etc-client.yaml
new file mode 100644
index 0000000..8db63dc
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-etc-client.yaml
@@ -0,0 +1,54 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ceph.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if or (.Values.deployment.ceph) (.Values.deployment.client_secrets) }}
+
+{{- if empty .Values.conf.ceph.global.mon_host -}}
+{{- $monHost := tuple "ceph_mon" "internal" "mon_msgr2" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+{{- $_ := $monHost | set .Values.conf.ceph.global "mon_host" -}}
+{{- end -}}
+
+
+{{- if empty .Values.conf.ceph.osd.cluster_network -}}
+{{- $_ := .Values.network.cluster | set .Values.conf.ceph.osd "cluster_network" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.ceph.osd.public_network -}}
+{{- $_ := .Values.network.public | set .Values.conf.ceph.osd "public_network" -}}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $configMapName }}
+data:
+  ceph.conf: |
+{{ include "helm-toolkit.utils.to_ini" .Values.conf.ceph | indent 4 }}
+
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.manifests.configmap_etc }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+{{- list  .Values.storageclass.csi_rbd.ceph_configmap_name . | include "ceph.configmap.etc" }}
+{{- else }}
+{{- list  .Values.storageclass.rbd.ceph_configmap_name . | include "ceph.configmap.etc" }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/configmap-etc-csi.yaml b/charts/ceph-provisioners/templates/configmap-etc-csi.yaml
new file mode 100644
index 0000000..8ecc362
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-etc-csi.yaml
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ceph.configmap.etc.csi" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if and (.Values.deployment.ceph) (.Values.deployment.csi_rbd_provisioner) }}
+
+{{- if empty .Values.conf.ceph.global.mon_host -}}
+{{- $monHost := tuple "ceph_mon" "internal" "mon" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+{{- $_ := $monHost | set .Values.conf.ceph.global "mon_host" -}}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: ConfigMap
+data:
+  config.json: |-
+    [
+      {
+        "clusterID": {{ .Release.Namespace | quote }},
+        "monitors": [
+          {{ .Values.conf.ceph.global.mon_host | quote }}
+        ]
+      }
+    ]
+metadata:
+  name: ceph-csi-config
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list  .Values.storageclass.csi_rbd.ceph_configmap_name . | include "ceph.configmap.etc.csi" }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml b/charts/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml
new file mode 100644
index 0000000..8933f34
--- /dev/null
+++ b/charts/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml
@@ -0,0 +1,181 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_csi_rbd_provisioner .Values.deployment.csi_rbd_provisioner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-rbd-csi-nodeplugin" }}
+{{ tuple $envAll "rbd_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: ceph-rbd-plugin
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "rbd" "plugin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "rbd" "plugin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "plugin" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "rbd" "plugin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-plugin" "containerNames" (list "driver-registrar" "csi-rbdplugin" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "plugin" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      nodeSelector:
+        {{ .Values.labels.csi_rbd_plugin.node_selector_key }}: {{ .Values.labels.csi_rbd_plugin.node_selector_value }}
+      hostNetwork: true
+      hostPID: true
+      dnsPolicy: {{ .Values.pod.dns_policy }}
+      initContainers:
+{{ tuple $envAll "rbd_plugin" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: driver-registrar
+{{ tuple $envAll "csi_registrar" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_registrar | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "plugin" "container" "ceph_rbd_registrar" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          args:
+            - "--v=0"
+            - "--csi-address=/csi/csi.sock"
+            - "--kubelet-registration-path=/var/lib/kubelet/plugins/$(DEPLOYMENT_NAMESPACE).rbd.csi.ceph.com/csi.sock"
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+            - name: registration-dir
+              mountPath: /registration
+        - name: csi-rbdplugin
+{{ tuple $envAll "cephcsi" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_cephcsi | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "plugin" "container" "ceph_csi_rbd_plugin" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          args:
+            - "--nodeid=$(NODE_ID)"
+            - "--type=rbd"
+            - "--nodeserver=true"
+            - "--endpoint=$(CSI_ENDPOINT)"
+            - "--v=0"
+            - "--drivername=$(DEPLOYMENT_NAMESPACE).rbd.csi.ceph.com"
+            - "--pidlimit=-1"
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: NODE_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: CSI_ENDPOINT
+              value: unix:///csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+            - mountPath: /dev
+              name: host-dev
+            - mountPath: /sys
+              name: host-sys
+            - mountPath: /run/mount
+              name: host-mount
+            - mountPath: /lib/modules
+              name: lib-modules
+              readOnly: true
+            - name: ceph-csi-config
+              mountPath: /etc/ceph-csi-config/
+            - name: plugin-dir
+              mountPath: /var/lib/kubelet/plugins
+              mountPropagation: "Bidirectional"
+            - name: mountpoint-dir
+              mountPath: /var/lib/kubelet/pods
+              mountPropagation: "Bidirectional"
+            - name: keys-tmp-dir
+              mountPath: /tmp/csi/keys
+      volumes:
+        - name: socket-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins/ceph.rbd.csi.ceph.com
+            type: DirectoryOrCreate
+        - name: plugin-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins
+            type: Directory
+        - name: mountpoint-dir
+          hostPath:
+            path: /var/lib/kubelet/pods
+            type: DirectoryOrCreate
+        - name: registration-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins_registry/
+            type: Directory
+        - name: host-dev
+          hostPath:
+            path: /dev
+        - name: host-sys
+          hostPath:
+            path: /sys
+        - name: host-mount
+          hostPath:
+            path: /run/mount
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: ceph-csi-config
+          configMap:
+            name: ceph-csi-config
+        - name: keys-tmp-dir
+          emptyDir: {
+            medium: "Memory"
+          }
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml b/charts/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
new file mode 100644
index 0000000..e96387a
--- /dev/null
+++ b/charts/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
@@ -0,0 +1,201 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_cephfs_provisioner .Values.deployment.cephfs_provisioner  }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-cephfs-provisioner" }}
+{{ tuple $envAll "cephfs_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - list
+      - watch
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - ''
+    resources:
+      - services
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - extensions
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - cephfs-provisioner
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}-run-cephfs-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: ceph-cephfs-provisioner
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.cephfs_provisioner }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-provisioner" "containerNames" (list "ceph-cephfs-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ tuple $envAll "cephfs_provisioner" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.provisioner.node_selector_key }}: {{ .Values.labels.provisioner.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "cephfs_provisioner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ceph-cephfs-provisioner
+{{ tuple $envAll "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.cephfs_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: PROVISIONER_NAME
+              value: {{ .Values.storageclass.cephfs.provisioner }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          command:
+            - /tmp/provisioner-cephfs-start.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-run
+              mountPath: /run
+            - name: pod-etc-ceph
+              mountPath: /etc/ceph
+            - name: ceph-provisioners-bin
+              mountPath: /tmp/provisioner-cephfs-start.sh
+              subPath: provisioner-cephfs-start.sh
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-run
+          emptyDir:
+            medium: "Memory"
+        - name: pod-etc-ceph
+          emptyDir: {}
+        - name: ceph-provisioners-bin
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+            defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/deployment-csi-rbd-provisioner.yaml b/charts/ceph-provisioners/templates/deployment-csi-rbd-provisioner.yaml
new file mode 100644
index 0000000..fb3bc22
--- /dev/null
+++ b/charts/ceph-provisioners/templates/deployment-csi-rbd-provisioner.yaml
@@ -0,0 +1,283 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_csi_rbd_provisioner .Values.deployment.csi_rbd_provisioner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-rbd-csi-provisioner" }}
+{{ tuple $envAll "rbd_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["update"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}-run-rbd-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: {{ $envAll.Release.Namespace }}
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+  namespace: {{ $envAll.Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: ceph-rbd-csi-provisioner
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.csi_rbd_provisioner }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-csi-provisioner" "containerNames" (list "ceph-rbd-provisioner" "ceph-rbd-snapshotter" "ceph-rbd-attacher" "csi-resizer" "csi-rbdplugin" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ tuple $envAll "csi_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.provisioner.node_selector_key }}: {{ .Values.labels.provisioner.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "rbd_provisioner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ceph-rbd-provisioner
+{{ tuple $envAll "csi_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.csi_rbd_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: ADDRESS
+              value: unix:///csi/csi-provisioner.sock
+
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=0"
+            - "--timeout=150s"
+            - "--retry-interval-start=500ms"
+            - "--enable-leader-election=true"
+            - "--leader-election-type=leases"
+            - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+        - name: ceph-rbd-snapshotter
+{{ tuple $envAll "csi_snapshotter" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_snapshotter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_snapshotter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=0"
+            - "--timeout=150s"
+            - "--leader-election=true"
+            - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: ADDRESS
+              value: unix:///csi/csi-provisioner.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+        - name: ceph-rbd-attacher
+{{ tuple $envAll "csi_attacher" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_attacher | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_attacher" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          args:
+            - "--v=0"
+            - "--csi-address=$(ADDRESS)"
+            - "--leader-election=true"
+            - "--retry-interval-start=500ms"
+            - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: ADDRESS
+              value: /csi/csi-provisioner.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+        - name: csi-resizer
+{{ tuple $envAll "csi_resizer" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_resizer | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_resizer" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=0"
+            - "--csiTimeout=150s"
+            - "--leader-election"
+            - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: ADDRESS
+              value: unix:///csi/csi-provisioner.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+        - name: csi-rbdplugin
+{{ tuple $envAll "cephcsi" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_cephcsi | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_cephcsi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          args:
+            - "--nodeid=$(NODE_ID)"
+            - "--type=rbd"
+            - "--controllerserver=true"
+            - "--endpoint=$(CSI_ENDPOINT)"
+            - "--v=0"
+            - "--drivername=$(DEPLOYMENT_NAMESPACE).rbd.csi.ceph.com"
+            - "--pidlimit=-1"
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: NODE_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: CSI_ENDPOINT
+              value: unix:///csi/csi-provisioner.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+            - mountPath: /dev
+              name: host-dev
+            - mountPath: /sys
+              name: host-sys
+            - mountPath: /lib/modules
+              name: lib-modules
+              readOnly: true
+            - name: ceph-csi-config
+              mountPath: /etc/ceph-csi-config/
+            - name: keys-tmp-dir
+              mountPath: /tmp/csi/keys
+      volumes:
+        - name: host-dev
+          hostPath:
+            path: /dev
+        - name: host-sys
+          hostPath:
+            path: /sys
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: socket-dir
+          emptyDir: {
+            medium: "Memory"
+          }
+        - name: ceph-csi-config
+          configMap:
+            name: ceph-csi-config
+        - name: keys-tmp-dir
+          emptyDir: {
+            medium: "Memory"
+          }
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/deployment-rbd-provisioner.yaml b/charts/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
new file mode 100644
index 0000000..4e2b34f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
@@ -0,0 +1,191 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_rbd_provisioner .Values.deployment.rbd_provisioner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-rbd-provisioner" }}
+{{ tuple $envAll "rbd_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - list
+      - watch
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - ''
+    resources:
+      - services
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - extensions
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - rbd-provisioner
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}-run-rbd-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: ceph-rbd-provisioner
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.rbd_provisioner }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-provisioner" "containerNames" (list "ceph-rbd-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ tuple $envAll "rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.provisioner.node_selector_key }}: {{ .Values.labels.provisioner.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "rbd_provisioner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ceph-rbd-provisioner
+{{ tuple $envAll "ceph_rbd_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: PROVISIONER_NAME
+              value: {{ .Values.storageclass.rbd.provisioner }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          command:
+            - /tmp/provisioner-rbd-start.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-run
+              mountPath: /run
+            - name: pod-etc-ceph
+              mountPath: /etc/ceph
+            - name: ceph-provisioners-bin
+              mountPath: /tmp/provisioner-rbd-start.sh
+              subPath: provisioner-rbd-start.sh
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-run
+          emptyDir:
+            medium: "Memory"
+        - name: pod-etc-ceph
+          emptyDir: {}
+        - name: ceph-provisioners-bin
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+            defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-bootstrap.yaml b/charts/ceph-provisioners/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..d397108
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-bootstrap.yaml
@@ -0,0 +1,84 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "ceph-client-bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ceph-client-bootstrap
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: ceph-client-bootstrap
+{{ tuple $envAll "ceph_bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "ceph_client_bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-ceph
+              mountPath: /etc/ceph
+            - name: ceph-provisioners-bin
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            - name: ceph-client-admin-keyring
+              mountPath: /etc/ceph/ceph.client.admin.keyring
+              subPath: ceph.client.admin.keyring
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-ceph
+          emptyDir: {}
+        - name: ceph-provisioners-bin
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+            defaultMode: 0555
+        - name: ceph-etc
+          configMap:
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+            name: {{ .Values.storageclass.csi_rbd.ceph_configmap_name }}
+{{- else }}
+            name: {{ .Values.storageclass.rbd.ceph_configmap_name }}
+{{- end }}
+            defaultMode: 0444
+        - name: ceph-client-admin-keyring
+          secret:
+            secretName: {{ .Values.secrets.keyrings.admin }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-cephfs-client-key.yaml b/charts/ceph-provisioners/templates/job-cephfs-client-key.yaml
new file mode 100644
index 0000000..38b43d3
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-cephfs-client-key.yaml
@@ -0,0 +1,136 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_cephfs_client_key .Values.deployment.cephfs_provisioner }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := "ceph-cephfs-client-key-generator" }}
+{{ tuple $envAll "cephfs_client_key_generator" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+  namespace: {{ .Values.storageclass.cephfs.parameters.adminSecretNamespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+  namespace: {{ .Values.storageclass.cephfs.parameters.adminSecretNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ceph-cephfs-client-key-generator
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "cephfs_client_key_generator" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ceph-storage-keys-generator
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: PVC_CEPH_CEPHFS_STORAGECLASS_USER_SECRET_NAME
+              value: {{ .Values.storageclass.cephfs.parameters.adminSecretName }}
+            - name: PVC_CEPH_CEPHFS_STORAGECLASS_ADMIN_SECRET_NAME
+              value: {{ .Values.secrets.keyrings.prov_adminSecretName }}
+            - name: PVC_CEPH_CEPHFS_STORAGECLASS_DEPLOYED_NAMESPACE
+              value: {{ .Values.storageclass.cephfs.parameters.adminSecretNamespace }}
+          command:
+            - /tmp/provisioner-cephfs-client-key-manager.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-ceph
+              mountPath: /etc/ceph
+            - name: ceph-provisioners-bin
+              mountPath: /tmp/provisioner-cephfs-client-key-manager.sh
+              subPath: provisioner-cephfs-client-key-manager.sh
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-ceph
+          emptyDir: {}
+        - name: ceph-provisioners-bin
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+            defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-image-repo-sync.yaml b/charts/ceph-provisioners/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..60d862f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-image-repo-sync.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "ceph-provisioners" -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-namespace-client-ceph-config.yaml b/charts/ceph-provisioners/templates/job-namespace-client-ceph-config.yaml
new file mode 100644
index 0000000..154df6b
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-namespace-client-ceph-config.yaml
@@ -0,0 +1,153 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_namespace_client_ceph_config .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-ceph-ns-ceph-config-generator" }}
+{{ tuple $envAll "namespace_client_ceph_config_generator" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+  namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+  namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+  namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+  namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $serviceAccountName }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "ceph" "client-ceph-config-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "client_ceph_config_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "namespace_client_ceph_config_generator" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name:  ceph-storage-keys-generator
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_ceph_config_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: CEPH_CONF_ETC
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+              value: {{ .Values.storageclass.csi_rbd.ceph_configmap_name }}
+{{- else }}
+              value: {{ .Values.storageclass.rbd.ceph_configmap_name }}
+{{- end }}
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+              value: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+              value: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+            - name: MON_PORT
+              value: {{ tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: MON_PORT_V2
+              value: {{ tuple "ceph_mon" "internal" "mon_msgr2" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+
+          command:
+            - /tmp/provisioner-rbd-namespace-client-ceph-config-manager.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-ceph
+              mountPath: /etc/ceph
+            - name: ceph-provisioners-bin-clients
+              mountPath: /tmp/provisioner-rbd-namespace-client-ceph-config-manager.sh
+              subPath: provisioner-rbd-namespace-client-ceph-config-manager.sh
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-ceph
+          emptyDir: {}
+        - name: ceph-provisioners-bin-clients
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+            defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml b/charts/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml
new file mode 100644
index 0000000..189f32f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml
@@ -0,0 +1,105 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_namespace_client_key_cleaner .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-ceph-ns-key-cleaner" }}
+{{ tuple $envAll "namespace_client_key_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $serviceAccountName }}
+  annotations:
+    "helm.sh/hook": pre-delete
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "ceph" "client-key-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "client_key_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "namespace_client_key_cleaner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name:  ceph-namespace-client-keys-cleaner
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_key_cleaner" "container" "ceph_namespace_client_keys_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+              value: {{ .Values.storageclass.csi_rbd.parameters.userSecretName }}
+{{- else }}
+              value: {{ .Values.storageclass.rbd.parameters.userSecretName }}
+{{- end }}
+          command:
+            - /tmp/provisioner-rbd-namespace-client-key-cleaner.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-ceph
+              mountPath: /etc/ceph
+            - name: ceph-provisioners-bin-clients
+              mountPath: /tmp/provisioner-rbd-namespace-client-key-cleaner.sh
+              subPath: provisioner-rbd-namespace-client-key-cleaner.sh
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-ceph
+          emptyDir: {}
+        - name: ceph-provisioners-bin-clients
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+            defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-namespace-client-key.yaml b/charts/ceph-provisioners/templates/job-namespace-client-key.yaml
new file mode 100644
index 0000000..1bcc15d
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-namespace-client-key.yaml
@@ -0,0 +1,151 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_namespace_client_key .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-ceph-ns-key-generator" }}
+{{ tuple $envAll "namespace_client_key_generator" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+  namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+  namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+  namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+  namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $serviceAccountName }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "ceph" "client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "namespace_client_key_generator" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name:  ceph-storage-keys-generator
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_key_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: DEPLOYMENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+            - name: PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME
+              value: {{ .Values.storageclass.csi_rbd.parameters.userSecretName }}
+            - name: PVC_CEPH_RBD_STORAGECLASS_ADMIN_SECRET_NAME
+              value: {{ .Values.storageclass.csi_rbd.parameters.adminSecretName }}
+            - name: PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE
+              value: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+            - name: PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME
+              value: {{ .Values.storageclass.rbd.parameters.userSecretName }}
+            - name: PVC_CEPH_RBD_STORAGECLASS_ADMIN_SECRET_NAME
+              value: {{ .Values.storageclass.rbd.parameters.adminSecretName }}
+            - name: PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE
+              value: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+          command:
+            - /tmp/provisioner-rbd-namespace-client-key-manager.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-ceph
+              mountPath: /etc/ceph
+            - name: ceph-provisioners-bin-clients
+              mountPath: /tmp/provisioner-rbd-namespace-client-key-manager.sh
+              subPath: provisioner-rbd-namespace-client-key-manager.sh
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-ceph
+          emptyDir: {}
+        - name: ceph-provisioners-bin-clients
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+            defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/pod-helm-tests.yaml b/charts/ceph-provisioners/templates/pod-helm-tests.yaml
new file mode 100644
index 0000000..3edb521
--- /dev/null
+++ b/charts/ceph-provisioners/templates/pod-helm-tests.yaml
@@ -0,0 +1,117 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.deployment.client_secrets .Values.manifests.helm_tests }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" $envAll.Release.Name "test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumes
+      - persistentvolumeclaims
+      - events
+      - pods
+      - pods/log
+      - configmaps
+    verbs:
+      - create
+      - get
+      - delete
+      - list
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{.Release.Name}}-test"
+  labels:
+{{ tuple $envAll "ceph" "provisioner-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "init" "ceph-provisioner-helm-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+  restartPolicy: Never
+  serviceAccountName: {{ $serviceAccountName }}
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  initContainers:
+{{ tuple $envAll "tests" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+  containers:
+    - name: ceph-provisioner-helm-test
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+      env:
+        - name: PVC_NAMESPACE
+          value: {{ .Release.Namespace }}
+        - name: RBD_TEST_POD_NAME
+          value: {{ .Values.pod.test_pod.rbd.name }}
+        - name: RBD_TEST_PVC_NAME
+          value: {{ .Values.pod.test_pod.rbd.pvc_name }}
+        - name: CSI_RBD_TEST_POD_NAME
+          value: {{ .Values.pod.test_pod.csi_rbd.name }}
+        - name: CSI_RBD_TEST_PVC_NAME
+          value: {{ .Values.pod.test_pod.csi_rbd.pvc_name }}
+        - name: CEPHFS_TEST_POD_NAME
+          value: {{ .Values.pod.test_pod.cephfs.name }}
+        - name: CEPHFS_TEST_PVC_NAME
+          value: {{ .Values.pod.test_pod.cephfs.pvc_name }}
+        - name: TEST_POD_WAIT_TIMEOUT
+          value: {{ .Values.pod.test_pod.wait_timeout | quote }}
+      command:
+        - /tmp/helm-tests.sh
+      volumeMounts:
+        - name: ceph-provisioners-bin-clients
+          mountPath: /tmp/helm-tests.sh
+          subPath: helm-tests.sh
+          readOnly: true
+        - name: pod-tmp
+          mountPath: /tmp
+  volumes:
+    - name: ceph-provisioners-bin-clients
+      configMap:
+        name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+        defaultMode: 0555
+    - name: pod-tmp
+      emptyDir: {}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/storageclass.yaml b/charts/ceph-provisioners/templates/storageclass.yaml
new file mode 100644
index 0000000..11d1bcd
--- /dev/null
+++ b/charts/ceph-provisioners/templates/storageclass.yaml
@@ -0,0 +1,19 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.storageclass (.Values.deployment.ceph) }}
+{{- range $storageclass, $val := .Values.storageclass }}
+{{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/values.yaml b/charts/ceph-provisioners/values.yaml
new file mode 100644
index 0000000..f8d3381
--- /dev/null
+++ b/charts/ceph-provisioners/values.yaml
@@ -0,0 +1,458 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for ceph-client.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+deployment:
+  ceph: true
+  client_secrets: false
+  # Original rbd_provisioner is now DEPRECATED. It will be removed in the
+  # next release; CSI RBD provisioner should be used instead.
+  rbd_provisioner: true
+  csi_rbd_provisioner: true
+  cephfs_provisioner: true
+
+release_group: null
+
+images:
+  pull_policy: IfNotPresent
+  tags:
+    ceph_bootstrap: 'docker.io/openstackhelm/ceph-daemon:change_770201_ubuntu_bionic-20210113'
+    ceph_cephfs_provisioner: 'docker.io/openstackhelm/ceph-cephfs-provisioner:ubuntu_bionic-20200521'
+    ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:change_770201_ubuntu_bionic-20210113'
+    ceph_rbd_provisioner: 'docker.io/openstackhelm/ceph-rbd-provisioner:change_770201_ubuntu_bionic-20210113'
+    csi_provisioner: 'quay.io/k8scsi/csi-provisioner:v1.6.0'
+    csi_snapshotter: 'quay.io/k8scsi/csi-snapshotter:v2.1.1'
+    csi_attacher: 'quay.io/k8scsi/csi-attacher:v2.1.1'
+    csi_resizer: 'quay.io/k8scsi/csi-resizer:v0.4.0'
+    csi_registrar: 'quay.io/k8scsi/csi-node-driver-registrar:v1.2.0'
+    cephcsi: 'quay.io/cephcsi/cephcsi:v3.1.0'
+    dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
+    image_repo_sync: 'docker.io/library/docker:17.07.0'
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+labels:
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  provisioner:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  csi_rbd_plugin:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+pod:
+  test_pod:
+    wait_timeout: 600
+    rbd:
+      name: rbd-prov-test-pod
+      pvc_name: rbd-prov-test-pvc
+    csi_rbd:
+      name: csi-rbd-prov-test-pod
+      pvc_name: csi-rbd-prov-test-pvc
+    cephfs:
+      name: cephfs-prov-test-pod
+      pvc_name: cephfs-prov-test-pvc
+  security_context:
+    provisioner:
+      pod:
+        runAsUser: 0
+      container:
+        ceph_cephfs_provisioner:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        ceph_rbd_provisioner:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        ceph_rbd_snapshotter:
+          privileged: true
+        ceph_rbd_attacher:
+          privileged: true
+        ceph_rbd_resizer:
+          privileged: true
+        ceph_rbd_cephcsi:
+          privileged: true
+          capabilities:
+            add: ["SYS_ADMIN"]
+    plugin:
+      pod:
+        runAsUser: 0
+      container:
+        ceph_rbd_registrar:
+          privileged: true
+          capabilities:
+            add: ["SYS_ADMIN"]
+        ceph_csi_rbd_plugin:
+          privileged: true
+          capabilities:
+            add: ["SYS_ADMIN"]
+          allowPrivilegeEscalation: true
+    bootstrap:
+      pod:
+        runAsUser: 99
+      container:
+        ceph_client_bootstrap:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    cephfs_client_key_generator:
+      pod:
+        runAsUser: 99
+      container:
+        ceph_storage_keys_generator:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    client_key_cleaner:
+      pod:
+        runAsUser: 99
+      container:
+        ceph_namespace_client_keys_cleaner:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    client_key_generator:
+      pod:
+        runAsUser: 99
+      container:
+        ceph_storage_keys_generator:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    test:
+      pod:
+        runAsUser: 0
+      container:
+        test:
+          readOnlyRootFilesystem: true
+  dns_policy: "ClusterFirstWithHostNet"
+  replicas:
+    cephfs_provisioner: 2
+    rbd_provisioner: 2
+    csi_rbd_provisioner: 2
+  lifecycle:
+    upgrades:
+      deployments:
+        pod_replacement_strategy: Recreate
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        plugin:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  resources:
+    enabled: false
+    rbd_provisioner:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    csi_rbd_provisioner:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    cephfs_provisioner:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    rbd_attacher:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    rbd_registrar:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    rbd_resizer:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    rbd_snapshotter:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    rbd_cephcsi:
+      requests:
+        memory: "5Mi"
+        cpu: "250m"
+      limits:
+        memory: "50Mi"
+        cpu: "500m"
+    jobs:
+      bootstrap:
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+        requests:
+          memory: "128Mi"
+          cpu: "500m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+  tolerations:
+    rbd_provisioner:
+      tolerations:
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 60
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 60
+    csi_rbd_provisioner:
+      tolerations:
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 60
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 60
+    cephfs_provisioner:
+      tolerations:
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 60
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 60
+
+secrets:
+  keyrings:
+    admin: ceph-client-admin-keyring
+    prov_adminSecretName: pvc-ceph-conf-combined-storageclass
+
+network:
+  public: 192.168.0.0/16
+  cluster: 192.168.0.0/16
+
+conf:
+  ceph:
+    global:
+      # auth
+      cephx: true
+      cephx_require_signatures: false
+      cephx_cluster_require_signatures: true
+      cephx_service_require_signatures: false
+      objecter_inflight_op_bytes: "1073741824"
+      objecter_inflight_ops: 10240
+      debug_ms: "0/0"
+      log_file: /dev/stdout
+      mon_cluster_log_file: /dev/stdout
+    osd:
+      osd_mkfs_type: xfs
+      osd_mkfs_options_xfs: -f -i size=2048
+      osd_max_object_name_len: 256
+      ms_bind_port_min: 6800
+      ms_bind_port_max: 7100
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - ceph-provisioners-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    bootstrap:
+      jobs: null
+      services:
+        - endpoint: internal
+          service: ceph_mon
+    cephfs_client_key_generator:
+      jobs: null
+    cephfs_provisioner:
+      jobs:
+        - ceph-rbd-pool
+      services:
+        - endpoint: internal
+          service: ceph_mon
+    namespace_client_key_cleaner:
+      jobs: null
+    namespace_client_key_generator:
+      jobs: null
+    rbd_provisioner:
+      jobs:
+        - ceph-rbd-pool
+      services:
+        - endpoint: internal
+          service: ceph_mon
+    csi_rbd_provisioner:
+      jobs:
+        - ceph-rbd-pool
+      services:
+        - endpoint: internal
+          service: ceph_mon
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+bootstrap:
+  enabled: false
+  script: |
+    ceph -s
+    function ensure_pool () {
+      ceph osd pool stats $1 || ceph osd pool create $1 $2
+      if [[ $(ceph mon versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+        ceph osd pool application enable $1 $3
+      fi
+    }
+    #ensure_pool volumes 8 cinder
+
+# if you change provision_storage_class to false
+# it is presumed you manage your own storage
+# class definition externally
+# NOTE(kranthikirang) We iterate over each storageclass parameters
+# and derive the manifest.
+storageclass:
+  rbd:
+    provision_storage_class: true
+    provisioner: ceph.com/rbd
+    ceph_configmap_name: ceph-etc
+    metadata:
+      name: general-rbd
+    parameters:
+      pool: rbd
+      adminId: admin
+      adminSecretName: pvc-ceph-conf-combined-storageclass
+      adminSecretNamespace: ceph
+      userId: admin
+      userSecretName: pvc-ceph-client-key
+      imageFormat: "2"
+      imageFeatures: layering
+  csi_rbd:
+    provision_storage_class: true
+    provisioner: ceph.rbd.csi.ceph.com
+    ceph_configmap_name: ceph-etc
+    metadata:
+      default_storage_class: true
+      name: general
+    parameters:
+      clusterID: ceph
+      csi.storage.k8s.io/controller-expand-secret-name: pvc-ceph-conf-combined-storageclass
+      csi.storage.k8s.io/controller-expand-secret-namespace: ceph
+      csi.storage.k8s.io/fstype: ext4
+      csi.storage.k8s.io/node-stage-secret-name: pvc-ceph-conf-combined-storageclass
+      csi.storage.k8s.io/node-stage-secret-namespace: ceph
+      csi.storage.k8s.io/provisioner-secret-name: pvc-ceph-conf-combined-storageclass
+      csi.storage.k8s.io/provisioner-secret-namespace: ceph
+      imageFeatures: layering
+      imageFormat: "2"
+      pool: rbd
+      adminId: admin
+      adminSecretName: pvc-ceph-conf-combined-storageclass
+      adminSecretNamespace: ceph
+      userId: admin
+      userSecretName: pvc-ceph-client-key
+  cephfs:
+    provision_storage_class: true
+    provisioner: ceph.com/cephfs
+    metadata:
+      name: cephfs
+    parameters:
+      adminId: admin
+      adminSecretName: pvc-ceph-cephfs-client-key
+      adminSecretNamespace: ceph
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  ceph_mon:
+    namespace: null
+    hosts:
+      default: ceph-mon
+      discovery: ceph-mon-discovery
+    host_fqdn_override:
+      default: null
+    port:
+      mon:
+        default: 6789
+      mon_msgr2:
+        default: 3300
+
+
+manifests:
+  configmap_bin: true
+  configmap_bin_common: true
+  configmap_etc: true
+  deployment_rbd_provisioner: true
+  # Original rbd_provisioner is now DEPRECATED. It will be removed in the
+  # next release; CSI RBD provisioner should be used instead.
+  deployment_csi_rbd_provisioner: true
+  deployment_cephfs_provisioner: true
+  job_bootstrap: false
+  job_cephfs_client_key: true
+  job_image_repo_sync: true
+  job_namespace_client_key_cleaner: true
+  job_namespace_client_key: true
+  job_namespace_client_ceph_config: true
+  storageclass: true
+  helm_tests: true
+...
diff --git a/charts/ceph-provisioners/values_overrides/apparmor.yaml b/charts/ceph-provisioners/values_overrides/apparmor.yaml
new file mode 100644
index 0000000..0d3ed72
--- /dev/null
+++ b/charts/ceph-provisioners/values_overrides/apparmor.yaml
@@ -0,0 +1,37 @@
+---
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ceph-cephfs-provisioner:
+      ceph-cephfs-provisioner: runtime/default
+      init: runtime/default
+    ceph-cephfs-client-key-generator:
+      ceph-storage-keys-generator: runtime/default
+      init: runtime/default
+    ceph-rbd-provisioner:
+      ceph-rbd-provisioner: runtime/default
+      init: runtime/default
+    ceph-rbd-csi-provisioner:
+      ceph-rbd-provisioner: runtime/default
+      init: runtime/default
+      ceph-rbd-snapshotter: runtime/default
+      ceph-rbd-attacher: runtime/default
+      csi-resizer: runtime/default
+      csi-rbdplugin: runtime/default
+    ceph-provisioner-test:
+      init: runtime/default
+      ceph-provisioner-helm-test: runtime/default
+    ceph-osh-infra-config-test:
+      init: runtime/default
+      ceph-provisioner-helm-test: runtime/default
+    ceph-provisioners-ceph-ns-key-generator:
+      ceph-storage-keys-generator: runtime/default
+      init: runtime/default
+    ceph-rbd-plugin:
+      driver-registrar: runtime/default
+      csi-rbdplugin: runtime/default
+      init: runtime/default
+
+deployment:
+  client_secrets: true
+...
diff --git a/charts/cinder/.helmignore b/charts/cinder/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/cinder/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/cinder/Chart.yaml b/charts/cinder/Chart.yaml
new file mode 100644
index 0000000..c769da8
--- /dev/null
+++ b/charts/cinder/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Cinder
+home: https://docs.openstack.org/cinder/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: cinder
+sources:
+- https://opendev.org/openstack/cinder
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.25
diff --git a/charts/cinder/charts/helm-toolkit/Chart.yaml b/charts/cinder/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..4f9e6e5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.46
diff --git a/charts/cinder/charts/helm-toolkit/requirements.yaml b/charts/cinder/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..70e64cc
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.kibana.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f fd ]]; then
+      rm -f fd
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/cinder/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_template.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/values.yaml b/charts/cinder/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/cinder/requirements.lock b/charts/cinder/requirements.lock
new file mode 100644
index 0000000..a35c5a5
--- /dev/null
+++ b/charts/cinder/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.46
+digest: sha256:4baae4035ac4ec09ff414ac48d8f1e3f030d1ce1629727cb1ff24d44ffa000f1
+generated: "2022-08-17T17:14:30.083437397Z"
diff --git a/charts/cinder/requirements.yaml b/charts/cinder/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/cinder/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/cinder/templates/bin/_backup-storage-init.sh.tpl b/charts/cinder/templates/bin/_backup-storage-init.sh.tpl
new file mode 100644
index 0000000..cd2389c
--- /dev/null
+++ b/charts/cinder/templates/bin/_backup-storage-init.sh.tpl
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.ceph' ]]; then
+  SECRET=$(mktemp --suffix .yaml)
+  KEYRING=$(mktemp --suffix .keyring)
+  function cleanup {
+      rm -f ${SECRET} ${KEYRING}
+  }
+  trap cleanup EXIT
+fi
+
+set -ex
+if [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.swift' ]] || \
+     [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.posix' ]]; then
+  echo "INFO: no action required to use $STORAGE_BACKEND"
+elif [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.ceph' ]]; then
+  ceph -s
+  function ensure_pool () {
+    ceph osd pool stats $1 || ceph osd pool create $1 $2
+    if [[ $(ceph mgr versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+        ceph osd pool application enable $1 $3
+    fi
+    size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]')
+    ceph osd pool set $1 nosizechange 0
+    ceph osd pool set $1 size ${RBD_POOL_REPLICATION}
+    ceph osd pool set $1 nosizechange ${size_protection}
+    ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}"
+  }
+  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} ${RBD_POOL_APP_NAME}
+
+  if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
+    echo "Cephx user client.${RBD_POOL_USER} already exists"
+    echo "Update its cephx caps"
+    ceph auth caps client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}"
+    ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
+  else
+    ceph auth get-or-create client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}" \
+      -o ${KEYRING}
+  fi
+
+  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
+  cat > ${SECRET} <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${RBD_POOL_SECRET}"
+type: kubernetes.io/rbd
+data:
+  key: $( echo ${ENCODED_KEYRING} )
+EOF
+  kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
+
+fi
diff --git a/charts/cinder/templates/bin/_bootstrap.sh.tpl b/charts/cinder/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..49d99c5
--- /dev/null
+++ b/charts/cinder/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+{{- if .Values.bootstrap.enabled | default "echo 'Not Enabled'" }}
+
+  {{- /* Create volume types defined in Values.bootstrap */}}
+  {{- /* Types can only be created for backends defined in Values.conf */}}
+  {{- $volumeTypes := .Values.bootstrap.volume_types }}
+  {{- /* Generating list of backends listed in .Values.conf.backends */}}
+  {{- $backendsList := list}}
+  {{- range $backend_name, $backend_properties := .Values.conf.backends }}
+    {{- if and $backend_properties $backend_properties.volume_backend_name }}
+    {{- $backendsList = append $backendsList $backend_properties.volume_backend_name }}
+    {{- end }}
+  {{- end }}
+
+  {{- range $name, $properties := $volumeTypes }}
+    {{- if and $properties.volume_backend_name (has $properties.volume_backend_name $backendsList) }}
+      {{- $access_type := $properties.access_type | default "public"}}
+      # Create a volume type if it doesn't exist.
+      # Assumption: the volume type name is unique.
+      openstack volume type show {{ $name }} || \
+      openstack volume type create \
+        --{{ $access_type }} \
+      {{ $name }}
+      {{/*
+        We will try to set or update volume type properties.
+        To update properties, the volume type MUST NOT BE IN USE,
+        and projects and domains with access to the volume type
+        MUST EXIST, as well.
+      */}}
+      is_in_use=$(openstack volume list --long --all-projects -c Type -f value | grep -E "^{{ $name }}\s*$" || true)
+      if [[ -z ${is_in_use} ]]; then
+        {{- if (eq $access_type "private") }}
+        volumeTypeID=$(openstack volume type show {{ $name }} -f value -c id)
+        cinder type-update --is-public false ${volumeTypeID}
+        {{- end }}
+
+        {{- if and $properties.grant_access (eq $access_type "private") }}
+        {{- range $domain, $domainProjects := $properties.grant_access }}
+        {{- range $project := $domainProjects }}
+        project_id=$(openstack project show --domain {{ $domain }} -c id -f value {{ $project }})
+        if [[ -z  $(openstack volume type show {{ $name }} -c access_project_ids -f value | grep ${project_id} || true) ]]; then
+          openstack volume type set --project-domain {{ $domain }} --project {{ $project }} {{ $name }}
+        fi
+        {{- end }}
+        {{- end }}
+        {{- end }}
+
+        {{- range $key, $value := $properties }}
+        {{- if and (ne $key "access_type") (ne $key "grant_access") $value }}
+        openstack volume type set --property {{ $key }}={{ $value }} {{ $name }}
+        {{- end }}
+        {{- end }}
+      fi
+    {{- end }}
+  {{- end }}
+
+  {{- /* Create volumes defined in Values.conf.backends */}}
+  {{- if .Values.bootstrap.bootstrap_conf_backends }}
+    {{- range $name, $properties := .Values.conf.backends }}
+      {{- if $properties }}
+        openstack volume type show {{ $name }} || \
+        openstack volume type create \
+        --public \
+        --property volume_backend_name={{ $properties.volume_backend_name }} \
+        {{ $name }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{- /* Create and associate volume QoS if defined */}}
+  {{- if .Values.bootstrap.volume_qos}}
+    {{- range $qos_name, $qos_properties := .Values.bootstrap.volume_qos }}
+      type_defined=true
+      {{- /* If the volume type to associate with is not defined, skip the qos */}}
+      {{- range $qos_properties.associates }}
+        if ! openstack volume type show {{ . }}; then
+          type_defined=false
+        fi
+      {{- end }}
+      if [[ ${type_defined} ]]; then
+        openstack volume qos show {{ $qos_name }} || \
+          openstack volume qos create \
+          --consumer {{ $qos_properties.consumer }} \
+          {{- range $key, $value := $qos_properties.properties }}
+            --property {{ $key }}={{ $value }} \
+          {{- end }}
+          {{ $qos_name }}
+          {{- range $qos_properties.associates }}
+            openstack volume qos associate {{ $qos_name }} {{ . }}
+          {{- end }}
+      fi
+    {{- end }}
+  {{- end }}
+
+{{- /* Check volume type and properties were added */}}
+openstack volume type list --long
+openstack volume qos list
+{{- end }}
+
+exit 0
diff --git a/charts/cinder/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/cinder/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..f19bf03
--- /dev/null
+++ b/charts/cinder/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat <<EOF > /etc/ceph/ceph.client.admin.keyring
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+    key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+    key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/cinder/templates/bin/_ceph-keyring.sh.tpl b/charts/cinder/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..521a748
--- /dev/null
+++ b/charts/cinder/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat <<EOF > /etc/ceph/ceph.client.${RBD_USER}.keyring
+[client.${RBD_USER}]
+    key = $(cat /tmp/client-keyring)
+EOF
+
+{{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+cat <<EOF > /etc/ceph/ceph.client.${EXTERNAL_RBD_USER}.keyring
+[client.${EXTERNAL_RBD_USER}]
+    key = $(cat /tmp/external-ceph-client-keyring)
+EOF
+{{- end }}
+
+exit 0
diff --git a/charts/cinder/templates/bin/_cinder-api.sh.tpl b/charts/cinder/templates/bin/_cinder-api.sh.tpl
new file mode 100644
index 0000000..3b64745
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-api.sh.tpl
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+  for WSGI_SCRIPT in cinder-wsgi; do
+    cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
+  done
+
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    mkdir -p ${APACHE_RUN_DIR}
+  fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+  {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+  {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+  {{- end }}
+{{- end }}
+
+  if [ -f /var/run/apache2/apache2.pid ]; then
+    # Remove the stale pid for debian/ubuntu images
+    rm -f /var/run/apache2/apache2.pid
+  fi
+  # Starts Apache2
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+  exec cinder-api \
+        --config-file /etc/cinder/cinder.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    mkdir -p ${APACHE_RUN_DIR}
+  fi
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+  kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/cinder/templates/bin/_cinder-backup.sh.tpl b/charts/cinder/templates/bin/_cinder-backup.sh.tpl
new file mode 100644
index 0000000..77795e2
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-backup.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec cinder-backup \
+     --config-file /etc/cinder/cinder.conf
diff --git a/charts/cinder/templates/bin/_cinder-scheduler.sh.tpl b/charts/cinder/templates/bin/_cinder-scheduler.sh.tpl
new file mode 100644
index 0000000..cf06388
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-scheduler.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec cinder-scheduler \
+      --config-file /etc/cinder/cinder.conf
diff --git a/charts/cinder/templates/bin/_cinder-volume.sh.tpl b/charts/cinder/templates/bin/_cinder-volume.sh.tpl
new file mode 100644
index 0000000..68186f3
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-volume.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec cinder-volume \
+     --config-file /etc/cinder/cinder.conf \
+     --config-file /etc/cinder/conf/backends.conf \
+     --config-file /tmp/pod-shared/internal_tenant.conf
diff --git a/charts/cinder/templates/bin/_clean-secrets.sh.tpl b/charts/cinder/templates/bin/_clean-secrets.sh.tpl
new file mode 100644
index 0000000..31b7177
--- /dev/null
+++ b/charts/cinder/templates/bin/_clean-secrets.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec kubectl delete secret \
+  --namespace ${NAMESPACE} \
+  --ignore-not-found=true \
+  ${RBD_POOL_SECRET}
diff --git a/charts/cinder/templates/bin/_create-internal-tenant-id.sh.tpl b/charts/cinder/templates/bin/_create-internal-tenant-id.sh.tpl
new file mode 100644
index 0000000..dc64158
--- /dev/null
+++ b/charts/cinder/templates/bin/_create-internal-tenant-id.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    "${INTERNAL_PROJECT_NAME}");
+
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    "${INTERNAL_USER_NAME}");
+
diff --git a/charts/cinder/templates/bin/_db-sync.sh.tpl b/charts/cinder/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..d874c0b
--- /dev/null
+++ b/charts/cinder/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec cinder-manage db sync
diff --git a/charts/cinder/templates/bin/_external-ceph-rbd-admin-keyring.sh.tpl b/charts/cinder/templates/bin/_external-ceph-rbd-admin-keyring.sh.tpl
new file mode 100644
index 0000000..36d1b49
--- /dev/null
+++ b/charts/cinder/templates/bin/_external-ceph-rbd-admin-keyring.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- if .Values.backup.external_ceph_rbd.admin_keyring }}
+cat <<EOF > /etc/ceph/ceph.client.admin.keyring
+[client.admin]
+    key = {{ .Values.backup.external_ceph_rbd.admin_keyring }}
+EOF
+{{- else }}
+echo "ERROR: You must define the ceph admin keyring in values.yaml to use external_ceph_rbd."
+exit 1
+{{- end }}
+
+exit 0
diff --git a/charts/cinder/templates/bin/_iscsiadm.tpl b/charts/cinder/templates/bin/_iscsiadm.tpl
new file mode 100644
index 0000000..f27d757
--- /dev/null
+++ b/charts/cinder/templates/bin/_iscsiadm.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+       iscsiadm "${@:1}"
diff --git a/charts/cinder/templates/bin/_multipath.tpl b/charts/cinder/templates/bin/_multipath.tpl
new file mode 100644
index 0000000..7f84c9c
--- /dev/null
+++ b/charts/cinder/templates/bin/_multipath.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+      multipath "${@:1}"
diff --git a/charts/cinder/templates/bin/_multipathd.tpl b/charts/cinder/templates/bin/_multipathd.tpl
new file mode 100644
index 0000000..a9ff34a
--- /dev/null
+++ b/charts/cinder/templates/bin/_multipathd.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+      multipathd "${@:1}"
diff --git a/charts/cinder/templates/bin/_retrieve-internal-tenant-id.sh.tpl b/charts/cinder/templates/bin/_retrieve-internal-tenant-id.sh.tpl
new file mode 100644
index 0000000..d770e8c
--- /dev/null
+++ b/charts/cinder/templates/bin/_retrieve-internal-tenant-id.sh.tpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+
+USER_PROJECT_ID=$(openstack project show -f value -c id \
+    "${INTERNAL_PROJECT_NAME}");
+
+USER_ID=$(openstack user show -f value -c id \
+    "${INTERNAL_USER_NAME}");
+
+tee /tmp/pod-shared/internal_tenant.conf <<EOF
+[DEFAULT]
+cinder_internal_tenant_project_id = ${USER_PROJECT_ID}
+cinder_internal_tenant_user_id = ${USER_ID}
+EOF
diff --git a/charts/cinder/templates/bin/_storage-init.sh.tpl b/charts/cinder/templates/bin/_storage-init.sh.tpl
new file mode 100644
index 0000000..a43115e
--- /dev/null
+++ b/charts/cinder/templates/bin/_storage-init.sh.tpl
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
+  SECRET=$(mktemp --suffix .yaml)
+  KEYRING=$(mktemp --suffix .keyring)
+  function cleanup {
+      rm -f ${SECRET} ${KEYRING}
+  }
+  trap cleanup EXIT
+fi
+
+set -ex
+if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
+  ceph -s
+  function ensure_pool () {
+    ceph osd pool stats $1 || ceph osd pool create $1 $2
+    if [[ $(ceph mgr versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+        ceph osd pool application enable $1 $3
+    fi
+    size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]')
+    ceph osd pool set $1 nosizechange 0
+    ceph osd pool set $1 size ${RBD_POOL_REPLICATION}
+    ceph osd pool set $1 nosizechange ${size_protection}
+    ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}"
+  }
+  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} ${RBD_POOL_APP_NAME}
+
+  if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
+    echo "Cephx user client.${RBD_POOL_USER} already exist."
+    echo "Update its cephx caps"
+    ceph auth caps client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd"
+    ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
+  else
+    #NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
+    ceph auth get-or-create client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd" \
+      -o ${KEYRING}
+  fi
+
+  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
+  cat > ${SECRET} <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${RBD_POOL_SECRET}"
+type: kubernetes.io/rbd
+data:
+  key: $( echo ${ENCODED_KEYRING} )
+EOF
+  kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
+
+fi
diff --git a/charts/cinder/templates/bin/_volume-usage-audit.sh.tpl b/charts/cinder/templates/bin/_volume-usage-audit.sh.tpl
new file mode 100644
index 0000000..4cdf7ac
--- /dev/null
+++ b/charts/cinder/templates/bin/_volume-usage-audit.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec cinder-volume-usage-audit --send_actions
diff --git a/charts/cinder/templates/certificates.yaml b/charts/cinder/templates/certificates.yaml
new file mode 100644
index 0000000..7ccf6ca
--- /dev/null
+++ b/charts/cinder/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/cinder/templates/configmap-bin.yaml b/charts/cinder/templates/configmap-bin.yaml
new file mode 100644
index 0000000..4070085
--- /dev/null
+++ b/charts/cinder/templates/configmap-bin.yaml
@@ -0,0 +1,84 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cinder-bin
+data:
+{{- if .Values.conf.enable_iscsi }}
+  iscsiadm: |
+{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  multipath: |
+{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  multipathd: |
+{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+  rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  create-internal-tenant.sh: |
+{{ tuple "bin/_create-internal-tenant-id.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  retrieve-internal-tenant.sh: |
+{{ tuple "bin/_retrieve-internal-tenant-id.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  cinder-api.sh: |
+{{ tuple "bin/_cinder-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  cinder-backup.sh: |
+{{ tuple "bin/_cinder-backup.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  cinder-scheduler.sh: |
+{{ tuple "bin/_cinder-scheduler.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  cinder-volume.sh: |
+{{ tuple "bin/_cinder-volume.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  volume-usage-audit.sh: |
+{{ tuple "bin/_volume-usage-audit.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  backup-storage-init.sh: |
+{{ tuple "bin/_backup-storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  storage-init.sh: |
+{{ tuple "bin/_storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  clean-secrets.sh: |
+{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
+{{- if .Values.backup.external_ceph_rbd.enabled }}
+  external-ceph-rbd-admin-keyring.sh: |
+{{ tuple "bin/_external-ceph-rbd-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/cinder/templates/configmap-etc.yaml b/charts/cinder/templates/configmap-etc.yaml
new file mode 100644
index 0000000..a2ad5f2
--- /dev/null
+++ b/charts/cinder/templates/configmap-etc.yaml
@@ -0,0 +1,167 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "username" .Values.endpoints.identity.auth.cinder.username -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "password" .Values.endpoints.identity.auth.cinder.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.cinder.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.cinder.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.cinder.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.DEFAULT.glance_api_servers -}}
+{{- $_ := tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "glance_api_servers" -}}
+{{- end -}}
+
+{{- if (contains "cinder.backup.drivers.swift" .Values.conf.cinder.DEFAULT.backup_driver) }}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_auth_version -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_auth_version" "3" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.cinder.username -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.cinder.password -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.DEFAULT.osapi_volume_listen_port -}}
+{{- $_ := tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
+{{- end -}}
+
+{{- if .Values.conf.cinder.service_user.send_service_user_token -}}
+{{- if empty .Values.conf.cinder.service_user.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.region_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.project_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.project_domain_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.user_domain_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.username -}}
+{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.cinder.username -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.password -}}
+{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.cinder.password -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cinder-etc
+type: Opaque
+data:
+  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+  cinder.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.cinder | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
+  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+  cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
+  rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
+  resource_filters.json: {{ toJson .Values.conf.resource_filters | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-"  $key }}
+  {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+{{- if .Values.backup.external_ceph_rbd.enabled }}
+  external-backup-ceph.conf: {{ include "helm-toolkit.utils.to_ini" .Values.backup.external_ceph_rbd.conf | b64enc }}
+{{- end }}
+{{- if .Values.ceph_client.enable_external_ceph_backend }}
+  external-ceph.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.ceph_client.external_ceph.conf | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
new file mode 100644
index 0000000..c1c317c
--- /dev/null
+++ b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
@@ -0,0 +1,107 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_volume_usage_audit }}
+{{- $envAll := . }}
+
+{{- $mounts_cinder_volume_usage_audit := .Values.pod.mounts.cinder_volume_usage_audit.cinder_volume_usage_audit }}
+{{- $mounts_cinder_volume_usage_audit_init := .Values.pod.mounts.cinder_volume_usage_audit.init_container }}
+
+{{- $serviceAccountName := "cinder-volume-usage-audit" }}
+{{ tuple $envAll "volume_usage_audit" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cinder-volume-usage-audit
+  labels:
+{{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.volume_usage_audit.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.volume_usage_audit.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.volume_usage_audit.history.failed }}
+  {{- if .Values.jobs.volume_usage_audit.starting_deadline }}
+  startingDeadlineSeconds: {{ .Values.jobs.volume_usage_audit.starting_deadline }}
+  {{- end }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+          annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "cinder-volume-usage-audit" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 12 }}
+        spec:
+{{ dict "envAll" $envAll "application" "volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+          serviceAccountName: {{ $serviceAccountName }}
+          restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          initContainers:
+{{ tuple $envAll "volume_usage_audit" $mounts_cinder_volume_usage_audit_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          containers:
+            - name: cinder-volume-usage-audit
+{{ tuple $envAll "cinder_volume_usage_audit" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.volume_usage_audit | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "volume_usage_audit" "container" "cinder_volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+              command:
+                - /tmp/volume-usage-audit.sh
+              volumeMounts:
+                - name: pod-tmp
+                  mountPath: /tmp
+                - name: etccinder
+                  mountPath: /etc/cinder
+                - name: cinder-etc
+                  mountPath: /etc/cinder/cinder.conf
+                  subPath: cinder.conf
+                  readOnly: true
+                {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+                - name: cinder-etc
+                  mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+                  subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+                  readOnly: true
+                {{- end }}
+                - name: cinder-bin
+                  mountPath: /tmp/volume-usage-audit.sh
+                  subPath: volume-usage-audit.sh
+                  readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+{{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etccinder
+              emptyDir: {}
+            - name: cinder-etc
+              secret:
+                secretName: cinder-etc
+                defaultMode: 0444
+            - name: cinder-bin
+              configMap:
+                name: cinder-bin
+                defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-api.yaml b/charts/cinder/templates/deployment-api.yaml
new file mode 100644
index 0000000..7925c60
--- /dev/null
+++ b/charts/cinder/templates/deployment-api.yaml
@@ -0,0 +1,185 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_cinder_api := .Values.pod.mounts.cinder_api.cinder_api }}
+{{- $mounts_cinder_api_init := .Values.pod.mounts.cinder_api.init_container }}
+
+{{- $serviceAccountName := "cinder-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cinder-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-api" "containerNames" (list "cinder-api" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_api" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_cinder_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_api" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - "cinder:"
+            - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+        {{ end }}
+      containers:
+        - name: cinder-api
+{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/cinder-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/cinder-api.sh
+                  - stop
+          ports:
+            - name: c-api
+              containerPort: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 30
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: wsgi-cinder
+              mountPath: /var/www/cgi-bin/cinder
+            - name: cinder-bin
+              mountPath: /tmp/cinder-api.sh
+              subPath: cinder-api.sh
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/cinder.conf
+              subPath: cinder.conf
+              readOnly: true
+            {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: cinder-etc
+              mountPath: /etc/cinder/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
+              subPath: resource_filters.json
+              readOnly: true
+{{- if .Values.conf.security }}
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+              subPath: security.conf
+              readOnly: true
+{{- end }}
+            {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+            {{- end }}
+            {{- if .Values.manifests.certificates }}
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
+              subPath: wsgi-cinder.conf
+              readOnly: true
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+              subPath: mpm_event.conf
+              readOnly: true
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: wsgi-cinder
+          emptyDir: {}
+        - name: cinder-bin
+          configMap:
+            name: cinder-bin
+            defaultMode: 0555
+        - name: cinder-etc
+          secret:
+            secretName: cinder-etc
+            defaultMode: 0444
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+        # pods for the coordination backend to be fully functional.
+        - name: cinder-coordination
+          emptyDir: {}
+        {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-backup.yaml b/charts/cinder/templates/deployment-backup.yaml
new file mode 100644
index 0000000..b4a429b
--- /dev/null
+++ b/charts/cinder/templates/deployment-backup.yaml
@@ -0,0 +1,342 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_backup }}
+{{- $envAll := . }}
+
+{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }}
+
+{{- $mounts_cinder_backup := .Values.pod.mounts.cinder_backup.cinder_backup }}
+{{- $mounts_cinder_backup_init := .Values.pod.mounts.cinder_backup.init_container }}
+
+{{- $serviceAccountName := "cinder-backup" }}
+{{ tuple $envAll "backup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cinder-backup
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.backup }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-backup" "containerNames" (list "cinder-backup" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.backup.node_selector_key }}: {{ .Values.labels.backup.node_selector_value }}
+{{- if .Values.pod.useHostNetwork.backup }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+{{- if .Values.conf.enable_iscsi }}
+      hostIPC: true
+{{- end }}
+      initContainers:
+{{ tuple $envAll "backup" $mounts_cinder_backup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+        - name: ceph-backup-keyring-placement
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ceph-keyring.sh
+          env:
+            - name: RBD_USER
+              value: {{ .Values.conf.cinder.DEFAULT.backup_ceph_user | quote }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: cinder-bin
+              mountPath: /tmp/ceph-keyring.sh
+              subPath: ceph-keyring.sh
+              readOnly: true
+            - name: ceph-backup-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+        {{ end }}
+        {{- range $name := rest (splitList "," (include "cinder.utils.ceph_backend_list" $envAll)) }}
+          {{- $backend := index $envAll.Values.conf.backends $name }}
+            {{- if eq $internal_ceph_backend $name }}
+        - name: ceph-keyring-placement-{{$name}}
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ceph-keyring.sh
+          env:
+            - name: RBD_USER
+              value: {{ $backend.rbd_user | quote }}
+{{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+            - name: EXTERNAL_RBD_USER
+              value: {{ $envAll.Values.ceph_client.external_ceph.rbd_user | quote }}
+{{- end }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: cinder-bin
+              mountPath: /tmp/ceph-keyring.sh
+              subPath: ceph-keyring.sh
+              readOnly: true
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+           {{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+            - name: external-ceph-keyring
+              mountPath: /tmp/external-ceph-client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+        {{- end }}
+        {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+        - name: ceph-backup-volume-perms
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - "cinder:"
+            - {{ .Values.conf.cinder.DEFAULT.backup_posix_path }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-backup
+              mountPath: {{ .Values.conf.cinder.DEFAULT.backup_posix_path }}
+        {{ end }}
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - "cinder:"
+            - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+        {{ end }}
+      containers:
+        - name: cinder-backup
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/cinder-backup.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-tmp
+              mountPath: /var/lib/cinder/tmp
+            - name: cinder-bin
+              mountPath: /tmp/cinder-backup.sh
+              subPath: cinder-backup.sh
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/cinder.conf
+              subPath: cinder.conf
+              readOnly: true
+            {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            {{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
+            - name: etcceph
+              mountPath: /etc/ceph
+            {{- if not .Values.backup.external_ceph_rbd.enabled }}
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- else }}
+            - name: cinder-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: external-backup-ceph.conf
+              readOnly: true
+            {{- end }}
+            {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+            - name: ceph-backup-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- else }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- if .Values.ceph_client.enable_external_ceph_backend }}
+            - name: cinder-etc
+              mountPath: /etc/ceph/external-ceph.conf
+              subPath: external-ceph.conf
+              readOnly: true
+            {{- if .Values.ceph_client.external_ceph.rbd_user }}
+            - name: external-ceph-keyring
+              mountPath: /tmp/external-ceph-client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+            - name: cinder-backup
+              mountPath: {{ .Values.conf.cinder.DEFAULT.backup_posix_path }}
+            {{- end }}
+            {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+            {{- end }}
+            - name: cinder-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_cinder_sudoers
+              subPath: cinder_sudoers
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers
+              subPath: cinder_sudoers
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/rootwrap.d/volume.filters
+              subPath: volume.filters
+              readOnly: true
+            {{- if .Values.conf.enable_iscsi }}
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: host-dev
+              mountPath: /dev
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: runlock
+              mountPath: /run/lock
+            - name: etciscsi
+              mountPath: /etc/iscsi
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: usrlocalsbin
+              mountPath: /usr/local/sbin
+            - name: cinder-bin
+              mountPath: /usr/local/sbin/iscsiadm
+              subPath: iscsiadm
+            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: cinder-tmp
+          emptyDir: {}
+        - name: cinder-etc
+          secret:
+            secretName: cinder-etc
+            defaultMode: 0444
+        - name: cinder-bin
+          configMap:
+            name: cinder-bin
+            defaultMode: 0555
+        {{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        {{ end }}
+        {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+        - name: ceph-backup-keyring
+          secret:
+            secretName: {{ .Values.secrets.rbd.backup | quote }}
+        {{ end }}
+        {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.secrets.rbd.volume | quote }}
+        {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+        - name: external-ceph-keyring
+          secret:
+            secretName: {{ .Values.secrets.rbd.volume_external | quote }}
+        {{ end }}
+        {{ end }}
+        {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+        - name: cinder-backup
+          persistentVolumeClaim:
+            claimName: cinder-backup
+        {{- end }}
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+        # pods for the coordination backend to be fully functional.
+        - name: cinder-coordination
+          emptyDir: {}
+        {{- end }}
+        {{- if .Values.conf.enable_iscsi }}
+        - name: host-rootfs
+          hostPath:
+            path: /
+        - name: host-dev
+          hostPath:
+            path: /dev
+        - name: runlock
+          hostPath:
+            path: /run/lock
+        - name: etciscsi
+          hostPath:
+            path: /etc/iscsi
+        - name: usrlocalsbin
+          emptyDir: {}
+        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_backup.volumes }}{{ toYaml $mounts_cinder_backup.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-scheduler.yaml b/charts/cinder/templates/deployment-scheduler.yaml
new file mode 100644
index 0000000..59c3597
--- /dev/null
+++ b/charts/cinder/templates/deployment-scheduler.yaml
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_scheduler }}
+{{- $envAll := . }}
+
+{{- $mounts_cinder_scheduler := .Values.pod.mounts.cinder_scheduler.cinder_scheduler }}
+{{- $mounts_cinder_scheduler_init := .Values.pod.mounts.cinder_scheduler.init_container }}
+
+{{- $serviceAccountName := "cinder-scheduler" }}
+{{ tuple $envAll "scheduler" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cinder-scheduler
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.scheduler }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-scheduler" "containerNames" (list "cinder-scheduler" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.scheduler.node_selector_key }}: {{ .Values.labels.scheduler.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "scheduler" $mounts_cinder_scheduler_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - "cinder:"
+            - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+        {{ end }}
+      containers:
+        - name: cinder-scheduler
+{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/cinder-scheduler.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-bin
+              mountPath: /tmp/cinder-scheduler.sh
+              subPath: cinder-scheduler.sh
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/cinder.conf
+              subPath: cinder.conf
+              readOnly: true
+            {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: cinder-etc
+              mountPath: /etc/cinder/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: cinder-bin
+          configMap:
+            name: cinder-bin
+            defaultMode: 0555
+        - name: cinder-etc
+          secret:
+            secretName: cinder-etc
+            defaultMode: 0444
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+        # pods for the coordination backend to be fully functional.
+        - name: cinder-coordination
+          emptyDir: {}
+        {{- end }}
+ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-volume.yaml b/charts/cinder/templates/deployment-volume.yaml
new file mode 100644
index 0000000..135672a
--- /dev/null
+++ b/charts/cinder/templates/deployment-volume.yaml
@@ -0,0 +1,339 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_volume }}
+{{- $envAll := . }}
+
+{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }}
+
+{{- $mounts_cinder_volume := .Values.pod.mounts.cinder_volume.cinder_volume }}
+{{- $mounts_cinder_volume_init := .Values.pod.mounts.cinder_volume.init_container }}
+
+{{- $serviceAccountName := "cinder-volume" }}
+{{ tuple $envAll "volume" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cinder-volume
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.volume }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-volume" "containerNames" (list "cinder-volume" "ceph-coordination-volume-perms" "init-cinder-conf" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.volume.node_selector_key }}: {{ .Values.labels.volume.node_selector_value }}
+{{- if .Values.pod.useHostNetwork.volume }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+{{- if .Values.conf.enable_iscsi }}
+      hostIPC: true
+{{- end }}
+      initContainers:
+{{ tuple $envAll "volume" $mounts_cinder_volume_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- range $name := rest (splitList "," (include "cinder.utils.ceph_backend_list" $envAll)) }}
+          {{- $backend := index $envAll.Values.conf.backends $name }}
+            {{- if eq $internal_ceph_backend $name }}
+        - name: ceph-keyring-placement-{{$name}}
+{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ceph-keyring.sh
+          env:
+            - name: RBD_USER
+              value: {{ $backend.rbd_user | quote }}
+{{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+            - name: EXTERNAL_RBD_USER
+              value: {{ $envAll.Values.ceph_client.external_ceph.rbd_user | quote }}
+{{- end }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: cinder-bin
+              mountPath: /tmp/ceph-keyring.sh
+              subPath: ceph-keyring.sh
+              readOnly: true
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+            - name: external-ceph-keyring
+              mountPath: /tmp/external-ceph-client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+        {{- end }}
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - "cinder:"
+            - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+        {{ end }}
+        - name: init-cinder-conf
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "init_cinder_conf" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          image: {{ .Values.images.tags.ks_user }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          command:
+            - /tmp/retrieve-internal-tenant.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-bin
+              mountPath: /tmp/retrieve-internal-tenant.sh
+              subPath: retrieve-internal-tenant.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: INTERNAL_PROJECT_NAME
+              value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
+            - name: INTERNAL_USER_NAME
+              value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
+{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+      containers:
+        - name: cinder-volume
+{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/cinder-volume.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-bin
+              mountPath: /tmp/cinder-volume.sh
+              subPath: cinder-volume.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: cinder-conversion
+              mountPath: /var/lib/cinder/conversion
+            - name: cinder-etc
+              mountPath: /etc/cinder/cinder.conf
+              subPath: cinder.conf
+              readOnly: true
+            {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+            - name: cinder-etc
+              mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: cinder-etc
+              mountPath: /etc/cinder/conf/backends.conf
+              subPath: backends.conf
+              readOnly: true
+            {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- if .Values.ceph_client.enable_external_ceph_backend }}
+            - name: cinder-etc
+              mountPath: /etc/ceph/external-ceph.conf
+              subPath: external-ceph.conf
+              readOnly: true
+            {{- if .Values.ceph_client.external_ceph.rbd_user }}
+            - name: external-ceph-keyring
+              mountPath: /tmp/external-ceph-client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+            - name: cinder-coordination
+              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+            {{- end }}
+            - name: cinder-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_cinder_sudoers
+              subPath: cinder_sudoers
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers
+              subPath: cinder_sudoers
+              readOnly: true
+            - name: cinder-etc
+              mountPath: /etc/cinder/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "volume" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/cinder/rootwrap.d/%s.filters" $filePrefix }}
+            - name: cinder-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            {{- if .Values.conf.enable_iscsi }}
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: host-dev
+              mountPath: /dev
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: runlock
+              mountPath: /run/lock
+            - name: etciscsi
+              mountPath: /etc/iscsi
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: usrlocalsbin
+              mountPath: /usr/local/sbin
+            - name: cinder-bin
+              mountPath: /usr/local/sbin/iscsiadm
+              subPath: iscsiadm
+            - name: cinder-bin
+              mountPath: /usr/local/sbin/multipath
+              subPath: multipath
+            - name: cinder-bin
+              mountPath: /usr/local/sbin/multipathd
+              subPath: multipathd
+            - name: etcmultipath
+              mountPath: /etc/multipath
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            - name: sys
+              mountPath: /sys
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: cinder-bin
+          configMap:
+            name: cinder-bin
+            defaultMode: 0555
+        - name: cinder-etc
+          secret:
+            secretName: cinder-etc
+            defaultMode: 0444
+        - name: pod-shared
+          emptyDir: {}
+        - name: cinder-conversion
+          emptyDir: {}
+        {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.secrets.rbd.volume | quote }}
+        {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+        - name: external-ceph-keyring
+          secret:
+            secretName: {{ .Values.secrets.rbd.volume_external | quote }}
+        {{ end }}
+        {{ end }}
+        {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+        # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+        # pods for the coordination backend to be fully functional.
+        - name: cinder-coordination
+          emptyDir: {}
+        {{- end }}
+        {{- if .Values.conf.enable_iscsi }}
+        - name: host-rootfs
+          hostPath:
+            path: /
+        - name: host-dev
+          hostPath:
+            path: /dev
+        - name: runlock
+          hostPath:
+            path: /run/lock
+        - name: etciscsi
+          hostPath:
+            path: /etc/iscsi
+        - name: usrlocalsbin
+          emptyDir: {}
+        - name: etcmultipath
+          hostPath:
+            path: /etc/multipath
+        - name: sys
+          hostPath:
+            path: /sys
+        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/ingress-api.yaml b/charts/cinder/templates/ingress-api.yaml
new file mode 100644
index 0000000..f5ab1ff
--- /dev/null
+++ b/charts/cinder/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volumev3" "backendPort" "c-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.volumev3.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volumev3.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-backup-storage-init.yaml b/charts/cinder/templates/job-backup-storage-init.yaml
new file mode 100644
index 0000000..8168b90
--- /dev/null
+++ b/charts/cinder/templates/job-backup-storage-init.yaml
@@ -0,0 +1,188 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_backup_storage_init }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "cinder-backup-storage-init" }}
+{{ tuple $envAll "backup_storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cinder-backup-storage-init
+  labels:
+{{ tuple $envAll "cinder" "backup-storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "cinder-backup-storage-init" "containerNames" (list "cinder-backup-storage-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "backup_storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+        - name: ceph-keyring-placement
+{{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            {{- if not .Values.backup.external_ceph_rbd.enabled }}
+            - name: cinder-bin
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- else }}
+            - name: cinder-bin
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: external-ceph-rbd-admin-keyring.sh
+              readOnly: true
+            {{ end }}
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+        {{ end }}
+      containers:
+        - name: cinder-backup-storage-init
+{{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.backup_storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "cinder_backup_storage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: STORAGE_BACKEND
+              value: {{ .Values.conf.cinder.DEFAULT.backup_driver | quote }}
+            {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+            - name: RBD_POOL_NAME
+              value: {{ .Values.conf.cinder.DEFAULT.backup_ceph_pool | quote }}
+            - name: RBD_POOL_APP_NAME
+              value: {{ .Values.conf.ceph.pools.backup.app_name | quote }}
+            - name: RBD_POOL_USER
+              value: {{ .Values.conf.cinder.DEFAULT.backup_ceph_user | quote }}
+            - name: RBD_POOL_CRUSH_RULE
+              value: {{ .Values.conf.ceph.pools.backup.crush_rule | quote }}
+            - name: RBD_POOL_REPLICATION
+              value: {{ .Values.conf.ceph.pools.backup.replication | quote }}
+            - name: RBD_POOL_CHUNK_SIZE
+              value: {{ .Values.conf.ceph.pools.backup.chunk_size | quote }}
+            - name: RBD_POOL_SECRET
+              value: {{ .Values.secrets.rbd.backup | quote }}
+            {{ end }}
+          command:
+            - /tmp/backup-storage-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-bin
+              mountPath: /tmp/backup-storage-init.sh
+              subPath: backup-storage-init.sh
+              readOnly: true
+            {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+            - name: etcceph
+              mountPath: /etc/ceph
+            {{- if not .Values.backup.external_ceph_rbd.enabled }}
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- else }}
+            - name: cinder-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: external-backup-ceph.conf
+              readOnly: true
+            {{- end }}
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: cinder-bin
+          configMap:
+            name: cinder-bin
+            defaultMode: 0555
+        {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        {{- if .Values.backup.external_ceph_rbd.enabled }}
+        - name: cinder-etc
+          secret:
+            secretName: cinder-etc
+            defaultMode: 0444
+        {{- end }}
+        {{- if empty .Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.ceph_client.user_secret_name }}
+        {{ end }}
+        {{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/job-bootstrap.yaml b/charts/cinder/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..0db5409
--- /dev/null
+++ b/charts/cinder/templates/job-bootstrap.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-clean.yaml b/charts/cinder/templates/job-clean.yaml
new file mode 100644
index 0000000..d4efac5
--- /dev/null
+++ b/charts/cinder/templates/job-clean.yaml
@@ -0,0 +1,126 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_clean }}
+{{- $envAll := . }}
+{{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
+
+{{- $serviceAccountName := print "cinder-clean" }}
+{{ tuple $envAll "clean" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ print "cinder-clean" }}
+  labels:
+{{ tuple $envAll "cinder" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "clean" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "clean" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+        - name: cinder-volume-rbd-secret-clean
+{{ tuple $envAll "cinder_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.clean | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "clean" "container" "cinder_volume_rbd_secret_clean" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: RBD_POOL_SECRET
+              value: {{ .Values.secrets.rbd.volume | quote }}
+          command:
+            - /tmp/clean-secrets.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-bin
+              mountPath: /tmp/clean-secrets.sh
+              subPath: clean-secrets.sh
+              readOnly: true
+        {{ end }}
+        {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+        - name: cinder-volume-backup-secret-clean
+{{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.clean | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: RBD_POOL_SECRET
+              value: {{ .Values.secrets.rbd.backup | quote }}
+          command:
+            - /tmp/clean-secrets.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-bin
+              mountPath: /tmp/clean-secrets.sh
+              subPath: clean-secrets.sh
+              readOnly: true
+        {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: cinder-bin
+          configMap:
+            name: cinder-bin
+            defaultMode: 0555
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/job-create-internal-tenant.yaml b/charts/cinder/templates/job-create-internal-tenant.yaml
new file mode 100644
index 0000000..b298e36
--- /dev/null
+++ b/charts/cinder/templates/job-create-internal-tenant.yaml
@@ -0,0 +1,101 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_create_internal_tenant }}
+{{- $envAll := . }}
+
+{{- $serviceName := "cinder" }}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "create-internal-tenant" }}
+{{ tuple $envAll "create_internal_tenant" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "create-internal-tenant" | quote }}
+{{- if .Values.helm3_hook }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+  labels:
+{{ tuple $envAll "cinder" "create-internal-tenant" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "create-internal-tenant" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "create-internal-tenant" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "create_internal_tenant" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: create-internal-tenant
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "create_internal_tenant" "container" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/create-internal-tenant.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-internal-tenant-sh
+              mountPath: /tmp/create-internal-tenant.sh
+              subPath: create-internal-tenant.sh
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+            - name: INTERNAL_PROJECT_NAME
+              value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
+            - name: INTERNAL_USER_NAME
+              value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
+
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-internal-tenant-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/cinder/templates/job-db-drop.yaml b/charts/cinder/templates/job-db-drop.yaml
new file mode 100644
index 0000000..1115af5
--- /dev/null
+++ b/charts/cinder/templates/job-db-drop.yaml
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-db-init.yaml b/charts/cinder/templates/job-db-init.yaml
new file mode 100644
index 0000000..c7e450a
--- /dev/null
+++ b/charts/cinder/templates/job-db-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-db-sync.yaml b/charts/cinder/templates/job-db-sync.yaml
new file mode 100644
index 0000000..1bab87b
--- /dev/null
+++ b/charts/cinder/templates/job-db-sync.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "cinder" "podVolMounts" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumeMounts "podVols" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-image-repo-sync.yaml b/charts/cinder/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..2d1f1f7
--- /dev/null
+++ b/charts/cinder/templates/job-image-repo-sync.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-ks-endpoints.yaml b/charts/cinder/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..6b0493d
--- /dev/null
+++ b/charts/cinder/templates/job-ks-endpoints.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-ks-service.yaml b/charts/cinder/templates/job-ks-service.yaml
new file mode 100644
index 0000000..3299506
--- /dev/null
+++ b/charts/cinder/templates/job-ks-service.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $serviceTypes := list }}
+{{- range $_, $v := keys .Values.endpoints | sortAlpha }}
+{{- if $v | hasPrefix "volume" }}
+{{- $serviceTypes = append $serviceTypes $v }}
+{{- end }}
+{{- end }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-ks-user.yaml b/charts/cinder/templates/job-ks-user.yaml
new file mode 100644
index 0000000..4cd671d
--- /dev/null
+++ b/charts/cinder/templates/job-ks-user.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-rabbit-init.yaml b/charts/cinder/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..43d2392
--- /dev/null
+++ b/charts/cinder/templates/job-rabbit-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-storage-init.yaml b/charts/cinder/templates/job-storage-init.yaml
new file mode 100644
index 0000000..0f06c22
--- /dev/null
+++ b/charts/cinder/templates/job-storage-init.yaml
@@ -0,0 +1,168 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_storage_init }}
+{{- $envAll := . }}
+
+{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }}
+
+{{- $serviceAccountName := "cinder-storage-init" }}
+{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cinder-storage-init
+  labels:
+{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+        - name: ceph-keyring-placement
+{{ tuple $envAll "cinder_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+          securityContext:
+            runAsUser: 0
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: cinder-bin
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+        {{ end }}
+      containers:
+        {{- range $name, $backend := .Values.conf.backends }}
+          {{- if (eq "true" ( dict "backend" $backend | include "cinder.utils.is_ceph_backend" )) }}
+            {{- if eq $internal_ceph_backend $name }}
+        - name: cinder-storage-init-{{$name}}
+{{ tuple $envAll "cinder_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: STORAGE_BACKEND
+              value: {{ $backend.volume_driver | quote }}
+            - name: RBD_POOL_NAME
+              value: {{ $backend.rbd_pool | quote }}
+            - name: RBD_POOL_APP_NAME
+              value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).app_name | quote }}
+            - name: RBD_POOL_USER
+              value: {{ $backend.rbd_user | quote }}
+            - name: RBD_POOL_CRUSH_RULE
+              value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).crush_rule | quote }}
+            - name: RBD_POOL_REPLICATION
+              value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).replication | quote }}
+            - name: RBD_POOL_CHUNK_SIZE
+              value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).chunk_size | quote }}
+            - name: RBD_POOL_SECRET
+              value: {{ $envAll.Values.secrets.rbd.volume | quote }}
+          command:
+            - /tmp/storage-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cinder-bin
+              mountPath: /tmp/storage-init.sh
+              subPath: storage-init.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+        {{- end }}
+      {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: cinder-bin
+          configMap:
+            name: cinder-bin
+            defaultMode: 0555
+        {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        {{- if empty .Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.ceph_client.user_secret_name }}
+        {{- end }}
+        {{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/network_policy.yaml b/charts/cinder/templates/network_policy.yaml
new file mode 100644
index 0000000..ba9a8bd
--- /dev/null
+++ b/charts/cinder/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "cinder" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/cinder/templates/pdb-api.yaml b/charts/cinder/templates/pdb-api.yaml
new file mode 100644
index 0000000..a6e8d16
--- /dev/null
+++ b/charts/cinder/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: cinder-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/cinder/templates/pod-rally-test.yaml b/charts/cinder/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..34316c6
--- /dev/null
+++ b/charts/cinder/templates/pod-rally-test.yaml
@@ -0,0 +1,113 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.cinder_tests.cinder_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.cinder_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ print $envAll.Release.Name "-test" }}
+  labels:
+{{ tuple $envAll "cinder" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "cinder-test" "containerNames" (list "init" "cinder-test" "cinder-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+  restartPolicy: Never
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  serviceAccountName: {{ $serviceAccountName }}
+  initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+    - name: cinder-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      command:
+        - /tmp/ks-user.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: cinder-bin
+          mountPath: /tmp/ks-user.sh
+          subPath: ks-user.sh
+          readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_SERVICE_NAME
+          value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_ROLE
+          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+  containers:
+    - name: cinder-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: RALLY_ENV_NAME
+          value: {{.Release.Name}}
+      command:
+        - /tmp/rally-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: cinder-etc
+          mountPath: /etc/rally/rally_tests.yaml
+          subPath: rally_tests.yaml
+          readOnly: true
+        - name: cinder-bin
+          mountPath: /tmp/rally-test.sh
+          subPath: rally-test.sh
+          readOnly: true
+        - name: rally-db
+          mountPath: /var/lib/rally
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: cinder-etc
+      secret:
+        secretName: cinder-etc
+        defaultMode: 0444
+    - name: cinder-bin
+      configMap:
+        name: cinder-bin
+        defaultMode: 0555
+    - name: rally-db
+      emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/pvc-backup.yaml b/charts/cinder/templates/pvc-backup.yaml
new file mode 100644
index 0000000..da6478a
--- /dev/null
+++ b/charts/cinder/templates/pvc-backup.yaml
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pvc_backup }}
+{{- $envAll := . }}
+{{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: cinder-backup
+spec:
+  accessModes: [ "ReadWriteOnce" ]
+  resources:
+    requests:
+      storage: {{ .Values.backup.posix.volume.size }}
+  storageClassName: {{ .Values.backup.posix.volume.class_name }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-db.yaml b/charts/cinder/templates/secret-db.yaml
new file mode 100644
index 0000000..a5cee90
--- /dev/null
+++ b/charts/cinder/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "cinder" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-external-ceph-keyring.yaml b/charts/cinder/templates/secret-external-ceph-keyring.yaml
new file mode 100644
index 0000000..9cdd4af
--- /dev/null
+++ b/charts/cinder/templates/secret-external-ceph-keyring.yaml
@@ -0,0 +1,20 @@
+{{/*
+This manifest results a secret being created which has the keyring information
+needed for cinder rbd user of external managed ceph backend
+*/}}
+
+{{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+
+{{- $envAll := . }}
+{{- $userClass := "volume_external" }}
+{{- $secretName := index $envAll.Values.secrets.rbd $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  key: {{ $envAll.Values.ceph_client.external_ceph.rbd_user_keyring | b64enc }}
+...
+{{- end }}
diff --git a/charts/cinder/templates/secret-ingress-tls.yaml b/charts/cinder/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..f298d67
--- /dev/null
+++ b/charts/cinder/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volumev3" ) }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-keystone.yaml b/charts/cinder/templates/secret-keystone.yaml
new file mode 100644
index 0000000..90be568
--- /dev/null
+++ b/charts/cinder/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "cinder" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-registry.yaml b/charts/cinder/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/cinder/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/cinder/templates/secret_rabbitmq.yaml b/charts/cinder/templates/secret_rabbitmq.yaml
new file mode 100644
index 0000000..2c4403e
--- /dev/null
+++ b/charts/cinder/templates/secret_rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "cinder" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/service-api.yaml b/charts/cinder/templates/service-api.yaml
new file mode 100644
index 0000000..86d6b6f
--- /dev/null
+++ b/charts/cinder/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "volumev3" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: c-api
+      port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+      nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.api.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/service-ingress-api.yaml b/charts/cinder/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..ff0d27e
--- /dev/null
+++ b/charts/cinder/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "volumev3" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/cinder/templates/utils/_ceph_backend_list.tpl b/charts/cinder/templates/utils/_ceph_backend_list.tpl
new file mode 100644
index 0000000..f976127
--- /dev/null
+++ b/charts/cinder/templates/utils/_ceph_backend_list.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- /*
+    Return string with all ceph backends separated by comma. The list
+    is either empty or it starts with a comma. Assuming "a", "b" and
+    "c" are ceph backends then ceph_backend_list returns ",a,b,c".
+    This means the first element in the returned list representation
+    can always be skipped.
+
+    Usage:
+        range $name := rest (splitList include "cinder.utils.ceph_backend_list" $)
+*/ -}}
+{{- define "cinder.utils.ceph_backend_list" -}}
+  {{- range $name, $backend := .Values.conf.backends -}}
+    {{- if kindIs "map" $backend }}
+      {{- if (eq $backend.volume_driver "cinder.volume.drivers.rbd.RBDDriver") -}}
+        {{- "," -}}
+        {{- $name -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/cinder/templates/utils/_has_ceph_backend.tpl b/charts/cinder/templates/utils/_has_ceph_backend.tpl
new file mode 100644
index 0000000..bf975bb
--- /dev/null
+++ b/charts/cinder/templates/utils/_has_ceph_backend.tpl
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "cinder.utils.has_ceph_backend" -}}
+  {{- $has_ceph := false -}}
+  {{- range $_, $backend := .Values.conf.backends -}}
+    {{- if kindIs "map" $backend -}}
+      {{- $has_ceph = or $has_ceph (eq $backend.volume_driver "cinder.volume.drivers.rbd.RBDDriver") -}}
+    {{- end -}}
+  {{- end -}}
+  {{- $has_ceph -}}
+{{- end -}}
diff --git a/charts/cinder/templates/utils/_is_ceph_backend.tpl b/charts/cinder/templates/utils/_is_ceph_backend.tpl
new file mode 100644
index 0000000..3cba439
--- /dev/null
+++ b/charts/cinder/templates/utils/_is_ceph_backend.tpl
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "cinder.utils.is_ceph_backend" -}}
+{{- $backend := index . "backend" -}}
+{{- printf "%v" (and ( kindIs "map" $backend ) ( eq $backend.volume_driver "cinder.volume.drivers.rbd.RBDDriver" )) -}}
+{{- end -}}
diff --git a/charts/cinder/values.yaml b/charts/cinder/values.yaml
new file mode 100644
index 0000000..647a049
--- /dev/null
+++ b/charts/cinder/values.yaml
@@ -0,0 +1,1518 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for cinder.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+storage: ceph
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  backup:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  scheduler:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  volume:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+release_group: null
+
+images:
+  tags:
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    cinder_db_sync: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    cinder_api: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    cinder_scheduler: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    cinder_volume: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    cinder_volume_usage_audit: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    cinder_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
+    cinder_backup: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    cinder_backup_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+jobs:
+  volume_usage_audit:
+    cron: "5 * * * *"
+    starting_deadline: 600
+    history:
+      success: 3
+      failed: 1
+
+pod:
+  security_context:
+    volume_usage_audit:
+      pod:
+        runAsUser: 42424
+      container:
+        cinder_volume_usage_audit:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    cinder_api:
+      pod:
+        runAsUser: 42424
+      container:
+        ceph_coordination_volume_perms:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        cinder_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    cinder_backup:
+      pod:
+        runAsUser: 42424
+      container:
+        ceph_backup_keyring_placement:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        ceph_keyring_placement:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        ceph_backup_volume_perms:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        ceph_coordination_volume_perms:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        cinder_backup:
+          capabilities:
+            add:
+              - SYS_ADMIN
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+    cinder_scheduler:
+      pod:
+        runAsUser: 42424
+      container:
+        ceph_coordination_volume_perms:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        cinder_scheduler:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    cinder_volume:
+      pod:
+        runAsUser: 42424
+      container:
+        ceph_keyring_placement:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        ceph_coordination_volume_perms:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        init_cinder_conf:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        cinder_volume:
+          readOnlyRootFilesystem: true
+    storage_init:
+      pod:
+        runAsUser: 42424
+      container:
+        ceph_keyring_placement:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        cinder_backup_storage_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    clean:
+      pod:
+        runAsUser: 42424
+      container:
+        cinder_volume_rbd_secret_clean:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    create_internal_tenant:
+      pod:
+        runAsUser: 42424
+      container:
+        create_internal_tenant:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  tolerations:
+    cinder:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+  useHostNetwork:
+    volume: false
+    backup: false
+  mounts:
+    cinder_api:
+      init_container: null
+      cinder_api:
+        volumeMounts:
+        volumes:
+    cinder_scheduler:
+      init_container: null
+      cinder_scheduler:
+        volumeMounts:
+        volumes:
+    cinder_volume:
+      init_container: null
+      cinder_volume:
+        volumeMounts:
+        volumes:
+    cinder_volume_usage_audit:
+      init_container: null
+      cinder_volume_usage_audit:
+        volumeMounts:
+        volumes:
+    cinder_backup:
+      init_container: null
+      cinder_backup:
+        volumeMounts:
+        volumes:
+    cinder_tests:
+      init_container: null
+      cinder_tests:
+        volumeMounts:
+        volumes:
+    cinder_db_sync:
+      cinder_db_sync:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+    volume: 1
+    scheduler: 1
+    backup: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    scheduler:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    volume:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      volume_usage_audit:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      clean:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      backup_storage_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      storage_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+bootstrap:
+  enabled: true
+  ks_user: admin
+  bootstrap_conf_backends: true
+  volume_types:
+    name:
+      group:
+      volume_backend_name:
+      # access_type: "private"
+      # If you set up access_type to private, only the creator
+      # will get an access to the volume type. You can extend
+      # the access to your volume type by providing a list of
+      # domain names and projects as shown below
+      # grant_access:
+      #   <domain name 1>:
+      #     - <project name 1>
+      #     - <project name 2>
+      #     <...>
+      #   <domain name 2>:
+      #     - <project name 1>
+      #     <...>
+  # Volume QoS if any. By default, None QoS is created.
+  # Below values with a number at the end need to be replaced
+  # with real names.
+  # volume_qos:
+  #   qos_name_1:
+  #     consumer: front-end
+  #     properties:
+  #       key_1: value_1
+  #       key_2: value_2
+  #     associates:
+  #       - volume_type_1
+  #       - volume_type_2
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30877
+
+ceph_client:
+  # enable this when there is a need to create second ceph backed pointing
+  # to external ceph cluster
+  enable_external_ceph_backend: false
+  # change this in case of first ceph backend name pointing to internal ceph cluster
+  # is diffrent
+  internal_ceph_backend: rbd1
+  configmap: ceph-etc
+  user_secret_name: pvc-ceph-client-key
+  external_ceph:
+    # Only when enable_external_ceph_backend is true and rbd_user is NOT null
+    # secret for external ceph keyring will be created.
+    rbd_user: null
+    rbd_user_keyring: null
+    conf:
+      global: null
+      osd: null
+conf:
+  paste:
+    composite:osapi_volume:
+      use: call:cinder.api:root_app_factory
+      /: apiversions
+      /v3: openstack_volume_api_v3
+    composite:openstack_volume_api_v3:
+      use: call:cinder.api.middleware.auth:pipeline_factory
+      noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
+    filter:request_id:
+      paste.filter_factory: oslo_middleware.request_id:RequestId.factory
+    filter:http_proxy_to_wsgi:
+      paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: cinder
+    filter:faultwrap:
+      paste.filter_factory: cinder.api.middleware.fault:FaultWrapper.factory
+    filter:osprofiler:
+      paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+    filter:noauth:
+      paste.filter_factory: cinder.api.middleware.auth:NoAuthMiddleware.factory
+    filter:sizelimit:
+      paste.filter_factory: oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+    app:apiv3:
+      paste.app_factory: cinder.api.v3.router:APIRouter.factory
+    pipeline:apiversions:
+      pipeline: cors http_proxy_to_wsgi faultwrap osvolumeversionapp
+    app:osvolumeversionapp:
+      paste.app_factory: cinder.api.versions:Versions.factory
+    filter:keystonecontext:
+      paste.filter_factory: cinder.api.middleware.auth:CinderKeystoneContext.factory
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/cinder/api_audit_map.conf
+  policy:
+    context_is_admin: role:admin
+    admin_or_owner: is_admin:True or project_id:%(project_id)s
+    default: rule:admin_or_owner
+    admin_api: is_admin:True
+    volume:create: ''
+    volume:delete: rule:admin_or_owner
+    volume:get: rule:admin_or_owner
+    volume:get_all: rule:admin_or_owner
+    volume:get_volume_metadata: rule:admin_or_owner
+    volume:create_volume_metadata: rule:admin_or_owner
+    volume:delete_volume_metadata: rule:admin_or_owner
+    volume:update_volume_metadata: rule:admin_or_owner
+    volume:get_volume_admin_metadata: rule:admin_api
+    volume:update_volume_admin_metadata: rule:admin_api
+    volume:get_snapshot: rule:admin_or_owner
+    volume:get_all_snapshots: rule:admin_or_owner
+    volume:create_snapshot: rule:admin_or_owner
+    volume:delete_snapshot: rule:admin_or_owner
+    volume:update_snapshot: rule:admin_or_owner
+    volume:get_snapshot_metadata: rule:admin_or_owner
+    volume:delete_snapshot_metadata: rule:admin_or_owner
+    volume:update_snapshot_metadata: rule:admin_or_owner
+    volume:extend: rule:admin_or_owner
+    volume:update_readonly_flag: rule:admin_or_owner
+    volume:retype: rule:admin_or_owner
+    volume:update: rule:admin_or_owner
+    volume_extension:types_manage: rule:admin_api
+    volume_extension:types_extra_specs: rule:admin_api
+    volume_extension:access_types_qos_specs_id: rule:admin_api
+    volume_extension:access_types_extra_specs: rule:admin_api
+    volume_extension:volume_type_access: rule:admin_or_owner
+    volume_extension:volume_type_access:addProjectAccess: rule:admin_api
+    volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
+    volume_extension:volume_type_encryption: rule:admin_api
+    volume_extension:volume_encryption_metadata: rule:admin_or_owner
+    volume_extension:extended_snapshot_attributes: rule:admin_or_owner
+    volume_extension:volume_image_metadata: rule:admin_or_owner
+    volume_extension:quotas:show: ''
+    volume_extension:quotas:update: rule:admin_api
+    volume_extension:quotas:delete: rule:admin_api
+    volume_extension:quota_classes: rule:admin_api
+    volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
+    volume_extension:volume_admin_actions:reset_status: rule:admin_api
+    volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
+    volume_extension:backup_admin_actions:reset_status: rule:admin_api
+    volume_extension:volume_admin_actions:force_delete: rule:admin_api
+    volume_extension:volume_admin_actions:force_detach: rule:admin_api
+    volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
+    volume_extension:backup_admin_actions:force_delete: rule:admin_api
+    volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
+    volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
+    volume_extension:volume_actions:upload_public: rule:admin_api
+    volume_extension:volume_actions:upload_image: rule:admin_or_owner
+    volume_extension:volume_host_attribute: rule:admin_api
+    volume_extension:volume_tenant_attribute: rule:admin_or_owner
+    volume_extension:volume_mig_status_attribute: rule:admin_api
+    volume_extension:hosts: rule:admin_api
+    volume_extension:services:index: rule:admin_api
+    volume_extension:services:update: rule:admin_api
+    volume_extension:volume_manage: rule:admin_api
+    volume_extension:volume_unmanage: rule:admin_api
+    volume_extension:list_manageable: rule:admin_api
+    volume_extension:capabilities: rule:admin_api
+    volume:create_transfer: rule:admin_or_owner
+    volume:accept_transfer: ''
+    volume:delete_transfer: rule:admin_or_owner
+    volume:get_transfer: rule:admin_or_owner
+    volume:get_all_transfers: rule:admin_or_owner
+    volume_extension:replication:promote: rule:admin_api
+    volume_extension:replication:reenable: rule:admin_api
+    volume:failover_host: rule:admin_api
+    volume:freeze_host: rule:admin_api
+    volume:thaw_host: rule:admin_api
+    backup:create: ''
+    backup:delete: rule:admin_or_owner
+    backup:get: rule:admin_or_owner
+    backup:get_all: rule:admin_or_owner
+    backup:restore: rule:admin_or_owner
+    backup:backup-import: rule:admin_api
+    backup:backup-export: rule:admin_api
+    backup:update: rule:admin_or_owner
+    snapshot_extension:snapshot_actions:update_snapshot_status: ''
+    snapshot_extension:snapshot_manage: rule:admin_api
+    snapshot_extension:snapshot_unmanage: rule:admin_api
+    snapshot_extension:list_manageable: rule:admin_api
+    consistencygroup:create: group:nobody
+    consistencygroup:delete: group:nobody
+    consistencygroup:update: group:nobody
+    consistencygroup:get: group:nobody
+    consistencygroup:get_all: group:nobody
+    consistencygroup:create_cgsnapshot: group:nobody
+    consistencygroup:delete_cgsnapshot: group:nobody
+    consistencygroup:get_cgsnapshot: group:nobody
+    consistencygroup:get_all_cgsnapshots: group:nobody
+    group:group_types_manage: rule:admin_api
+    group:group_types_specs: rule:admin_api
+    group:access_group_types_specs: rule:admin_api
+    group:group_type_access: rule:admin_or_owner
+    group:create: ''
+    group:delete: rule:admin_or_owner
+    group:update: rule:admin_or_owner
+    group:get: rule:admin_or_owner
+    group:get_all: rule:admin_or_owner
+    group:create_group_snapshot: ''
+    group:delete_group_snapshot: rule:admin_or_owner
+    group:update_group_snapshot: rule:admin_or_owner
+    group:get_group_snapshot: rule:admin_or_owner
+    group:get_all_group_snapshots: rule:admin_or_owner
+    scheduler_extension:scheduler_stats:get_pools: rule:admin_api
+    message:delete: rule:admin_or_owner
+    message:get: rule:admin_or_owner
+    message:get_all: rule:admin_or_owner
+    clusters:get: rule:admin_api
+    clusters:get_all: rule:admin_api
+    clusters:update: rule:admin_api
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    custom_actions:
+      associate: update/associate
+      disassociate: update/disassociate_all
+      disassociate_all: update/disassociate_all
+      associations: read/list/associations
+    path_keywords:
+      defaults: None
+      detail: None
+      limits: None
+      os-quota-specs: project
+      qos-specs: qos-spec
+      snapshots: snapshot
+      types: type
+      volumes: volume
+    service_endpoints:
+      volumev3: service/storage/block
+  cinder_sudoers: |
+    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+    Defaults !requiretty
+    Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+    cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
+  rootwrap: |
+    # Configuration for cinder-rootwrap
+    # This file should be owned by (and only-writeable by) the root user
+
+    [DEFAULT]
+    # List of directories to load filter definitions from (separated by ',').
+    # These directories MUST all be only writeable by root !
+    filters_path=/etc/cinder/rootwrap.d
+
+    # List of directories to search executables in, in case filters do not
+    # explicitely specify a full path (separated by ',')
+    # If not specified, defaults to system PATH environment variable.
+    # These directories MUST all be only writeable by root !
+    exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+    # Enable logging to syslog
+    # Default value is False
+    use_syslog=False
+
+    # Which syslog facility to use.
+    # Valid values include auth, authpriv, syslog, local0, local1...
+    # Default value is 'syslog'
+    syslog_log_facility=syslog
+
+    # Which messages to log.
+    # INFO means log all usage
+    # ERROR means only log unsuccessful attempts
+    syslog_log_level=ERROR
+  rootwrap_filters:
+    volume:
+      pods:
+        - volume
+      content: |
+        # cinder-rootwrap command filters for volume nodes
+        # This file should be owned by (and only-writeable by) the root user
+
+        [Filters]
+        # cinder/volume/iscsi.py: iscsi_helper '--op' ...
+        ietadm: CommandFilter, ietadm, root
+        tgtadm: CommandFilter, tgtadm, root
+        iscsictl: CommandFilter, iscsictl, root
+        tgt-admin: CommandFilter, tgt-admin, root
+        cinder-rtstool: CommandFilter, cinder-rtstool, root
+        scstadmin: CommandFilter, scstadmin, root
+
+        # LVM related show commands
+        pvs: EnvFilter, env, root, LC_ALL=C, pvs
+        vgs: EnvFilter, env, root, LC_ALL=C, vgs
+        lvs: EnvFilter, env, root, LC_ALL=C, lvs
+        lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
+
+        # -LVM related show commands with suppress fd warnings
+        pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
+        vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
+        lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
+        lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
+
+
+        # -LVM related show commands conf var
+        pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs
+        vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs
+        lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
+        lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
+
+        # -LVM conf var with suppress fd_warnings
+        pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
+        vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
+        lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
+        lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
+
+        # os-brick library commands
+        # os_brick.privileged.run_as_root oslo.privsep context
+        # This line ties the superuser privs with the config files, context name,
+        # and (implicitly) the actual python code invoked.
+        privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+        # The following and any cinder/brick/* entries should all be obsoleted
+        # by privsep, and may be removed once the os-brick version requirement
+        # is updated appropriately.
+        scsi_id: CommandFilter, /lib/udev/scsi_id, root
+        drbdadm: CommandFilter, drbdadm, root
+
+        # cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
+        vgcreate: CommandFilter, vgcreate, root
+
+        # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
+        # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ...
+        lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate
+        lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate
+        lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate
+        lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate
+
+        # cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
+        dd: CommandFilter, dd, root
+
+        # cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ...
+        lvremove: CommandFilter, lvremove, root
+
+        # cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'...
+        lvrename: CommandFilter, lvrename, root
+
+        # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
+        # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
+        lvextend: EnvFilter, env, root, LC_ALL=C, lvextend
+        lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend
+        lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
+        lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
+
+        # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
+        lvchange: CommandFilter, lvchange, root
+
+        # cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name
+        lvconvert: CommandFilter, lvconvert, root
+
+        # cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
+        # cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
+        iscsiadm: CommandFilter, iscsiadm, root
+
+        # cinder/volume/utils.py: utils.temporary_chown(path, 0)
+        chown: CommandFilter, chown, root
+
+        # cinder/volume/utils.py: copy_volume(..., ionice='...')
+        ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7]
+        ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]
+
+        # cinder/volume/utils.py: setup_blkio_cgroup()
+        cgcreate: CommandFilter, cgcreate, root
+        cgset: CommandFilter, cgset, root
+        cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+
+
+        # cinder/volume/driver.py
+        dmsetup: CommandFilter, dmsetup, root
+        ln: CommandFilter, ln, root
+
+        # cinder/image/image_utils.py
+        qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img
+        qemu-img_convert: CommandFilter, qemu-img, root
+
+        udevadm: CommandFilter, udevadm, root
+
+        # cinder/volume/driver.py: utils.read_file_as_root()
+        cat: CommandFilter, cat, root
+
+        # cinder/volume/nfs.py
+        stat: CommandFilter, stat, root
+        mount: CommandFilter, mount, root
+        df: CommandFilter, df, root
+        du: CommandFilter, du, root
+        truncate: CommandFilter, truncate, root
+        chmod: CommandFilter, chmod, root
+        rm: CommandFilter, rm, root
+
+        # cinder/volume/drivers/remotefs.py
+        mkdir: CommandFilter, mkdir, root
+
+        # cinder/volume/drivers/netapp/nfs.py:
+        netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+
+
+        # cinder/volume/drivers/glusterfs.py
+        chgrp: CommandFilter, chgrp, root
+        umount: CommandFilter, umount, root
+        fallocate: CommandFilter, fallocate, root
+
+        # cinder/volumes/drivers/hds/hds.py:
+        hus-cmd: CommandFilter, hus-cmd, root
+        hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root
+
+        # cinder/volumes/drivers/hds/hnas_backend.py
+        ssc: CommandFilter, ssc, root
+
+        # cinder/brick/initiator/connector.py:
+        ls: CommandFilter, ls, root
+        tee: CommandFilter, tee, root
+        multipath: CommandFilter, multipath, root
+        multipathd: CommandFilter, multipathd, root
+        systool: CommandFilter, systool, root
+
+        # cinder/volume/drivers/block_device.py
+        blockdev: CommandFilter, blockdev, root
+
+        # cinder/volume/drivers/ibm/gpfs.py
+        # cinder/volume/drivers/tintri.py
+        mv: CommandFilter, mv, root
+
+        # cinder/volume/drivers/ibm/gpfs.py
+        cp: CommandFilter, cp, root
+        mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
+        mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root
+        mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
+        mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root
+        mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root
+        mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root
+        mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root
+        mkfs: CommandFilter, mkfs, root
+        mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
+        mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
+        mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
+        mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
+        mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
+        mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
+
+        # cinder/volume/drivers/ibm/gpfs.py
+        # cinder/volume/drivers/ibm/ibmnas.py
+        find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit
+
+        # cinder/brick/initiator/connector.py:
+        aoe-revalidate: CommandFilter, aoe-revalidate, root
+        aoe-discover: CommandFilter, aoe-discover, root
+        aoe-flush: CommandFilter, aoe-flush, root
+
+        # cinder/brick/initiator/linuxscsi.py:
+        sg_scan: CommandFilter, sg_scan, root
+
+        #cinder/backup/services/tsm.py
+        dsmc:CommandFilter,/usr/bin/dsmc,root
+
+        # cinder/volume/drivers/hitachi/hbsd_horcm.py
+        raidqry: CommandFilter, raidqry, root
+        raidcom: CommandFilter, raidcom, root
+        pairsplit: CommandFilter, pairsplit, root
+        paircreate: CommandFilter, paircreate, root
+        pairdisplay: CommandFilter, pairdisplay, root
+        pairevtwait: CommandFilter, pairevtwait, root
+        horcmstart.sh: CommandFilter, horcmstart.sh, root
+        horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root
+        horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr
+
+        # cinder/volume/drivers/hitachi/hbsd_snm2.py
+        auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman
+        auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref
+        auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef
+        aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1
+        auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn
+        auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap
+        autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap
+        aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol
+        auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd
+        auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel
+        auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize
+        auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser
+        autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef
+        autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt
+        autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini
+        auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi
+        audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool
+        aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal
+        aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon
+
+        # cinder/volume/drivers/hgst.py
+        vgc-cluster: CommandFilter, vgc-cluster, root
+
+        # cinder/volume/drivers/vzstorage.py
+        pstorage-mount: CommandFilter, pstorage-mount, root
+        pstorage: CommandFilter, pstorage, root
+        ploop: CommandFilter, ploop, root
+
+        # initiator/connector.py:
+        drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
+  ceph:
+    override:
+    append:
+    monitors: []
+    admin_keyring: null
+    pools:
+      backup:
+        replication: 3
+        crush_rule: replicated_rule
+        chunk_size: 8
+        app_name: cinder-backup
+      cinder.volumes:
+        replication: 3
+        crush_rule: replicated_rule
+        chunk_size: 8
+        app_name: cinder-volume
+  cinder:
+    DEFAULT:
+      volume_usage_audit_period: hour
+      resource_query_filters_file: /etc/cinder/resource_filters.json
+      log_config_append: /etc/cinder/logging.conf
+      use_syslog: false
+      use_stderr: true
+      enable_v1_api: false
+      volume_name_template: "%s"
+      osapi_volume_workers: 1
+      glance_api_version: 2
+      os_region_name: RegionOne
+      host: cinder-volume-worker
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      osapi_volume_listen_port: null
+      enabled_backends: "rbd1"
+      default_volume_type: "rbd1"
+      # NOTE(portdirect): "cinder.backup.drivers.ceph"  and
+      # "cinder.backup.drivers.posix" also supported
+      # NOTE(rchurch): As of Stein, drivers by class name are required
+      # - cinder.backup.drivers.swift.SwiftBackupDriver
+      # - cinder.backup.drivers.ceph.CephBackupDriver
+      # - cinder.backup.drivers.posix.PosixBackupDriver
+      backup_driver: "cinder.backup.drivers.swift.SwiftBackupDriver"
+      # Backup: Ceph RBD options
+      backup_ceph_conf: "/etc/ceph/ceph.conf"
+      backup_ceph_user: cinderbackup
+      backup_ceph_pool: cinder.backups
+      # Backup: Posix options
+      backup_posix_path: /var/lib/cinder/backup
+      auth_strategy: keystone
+      # Internal tenant id
+      internal_project_name: internal_cinder
+      internal_user_name: internal_cinder
+    database:
+      max_retries: -1
+    keystone_authtoken:
+      auth_version: v3
+      auth_type: password
+      memcache_security_strategy: ENCRYPT
+    oslo_policy:
+      policy_file: /etc/cinder/policy.yaml
+    oslo_concurrency:
+      lock_path: "/var/lib/cinder/tmp"
+    oslo_messaging_notifications:
+      driver: messagingv2
+    oslo_middleware:
+      enable_proxy_headers_parsing: true
+    oslo_messaging_rabbit:
+      rabbit_ha_queues: true
+    coordination:
+      backend_url: file:///var/lib/cinder/coordination
+    service_user:
+      auth_type: password
+      send_service_user_token: false
+  logging:
+    loggers:
+      keys:
+        - root
+        - cinder
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_cinder:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: cinder
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+  rabbitmq:
+    # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+    policies:
+      - vhost: "cinder"
+        name: "ha_ttl_cinder"
+        definition:
+          # mirror messges to other nodes in rmq cluster
+          ha-mode: "all"
+          ha-sync-mode: "automatic"
+          # 70s
+          message-ttl: 70000
+        priority: 0
+        apply-to: all
+        pattern: '^(?!(amq\.|reply_)).*'
+
+  backends:
+    # Those options will be written to backends.conf as-is.
+    rbd1:
+      volume_driver: cinder.volume.drivers.rbd.RBDDriver
+      volume_backend_name: rbd1
+      rbd_pool: cinder.volumes
+      rbd_ceph_conf: "/etc/ceph/ceph.conf"
+      rbd_flatten_volume_from_snapshot: false
+      report_discard_supported: true
+      rbd_max_clone_depth: 5
+      rbd_store_chunk_size: 4
+      rados_connect_timeout: -1
+      rbd_user: cinder
+      rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+      image_volume_cache_enabled: True
+      image_volume_cache_max_size_gb: 200
+      image_volume_cache_max_count: 50
+  rally_tests:
+    run_tempest: false
+    clean_up: |
+      VOLUMES=$(openstack volume list -f value | grep -e "^s_rally_" | awk '{ print $1 }')
+      if [ -n "$VOLUMES" ]; then
+        echo $VOLUMES | xargs openstack volume delete
+      fi
+    tests:
+      CinderVolumes.create_and_delete_volume:
+        - args:
+            size: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+        - args:
+            size:
+              max: 5
+              min: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+  resource_filters:
+    volume:
+      - name
+      - status
+      - metadata
+      - bootable
+      - migration_status
+      - availability_zone
+      - group_id
+    backup:
+      - name
+      - status
+      - volume_id
+    snapshot:
+      - name
+      - status
+      - volume_id
+      - metadata
+      - availability_zone
+    group: []
+    group_snapshot:
+      - status
+      - group_id
+    attachment:
+      - volume_id
+      - status
+      - instance_id
+      - attach_status
+    message:
+      - resource_uuid
+      - resource_type
+      - event_id
+      - request_id
+      - message_level
+    pool:
+      - name
+      - volume_type
+    volume_type: []
+  enable_iscsi: false
+backup:
+  external_ceph_rbd:
+    enabled: false
+    admin_keyring: null
+    conf:
+      global: null
+      osd: null
+  posix:
+    volume:
+      class_name: general
+      size: 10Gi
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - cinder-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+        - cinder-rabbit-init
+        - cinder-storage-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    backup:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+        - cinder-rabbit-init
+        - cinder-storage-init
+        - cinder-backup-storage-init
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: volumev3
+    backup_storage_init:
+      jobs: null
+    bootstrap:
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: volumev3
+      pod:
+        - requireSameNode: false
+          labels:
+            application: cinder
+            component: volume
+    clean:
+      jobs: null
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - cinder-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    ks_endpoints:
+      jobs:
+        - cinder-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - service: oslo_messaging
+          endpoint: internal
+    scheduler:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+        - cinder-rabbit-init
+        - cinder-storage-init
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: volumev3
+    storage_init:
+      jobs: null
+    tests:
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: volumev3
+    volume:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+        - cinder-rabbit-init
+        - cinder-storage-init
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: volumev3
+    volume_usage_audit:
+      jobs:
+        - cinder-db-sync
+        - cinder-ks-user
+        - cinder-ks-endpoints
+        - cinder-rabbit-init
+        - cinder-storage-init
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: volumev3
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+    create_internal_tenant:
+      services:
+        - endpoint: internal
+          service: identity
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: cinder-keystone-admin
+    cinder: cinder-keystone-user
+    test: cinder-keystone-test
+  oslo_db:
+    admin: cinder-db-admin
+    cinder: cinder-db-user
+  rbd:
+    backup: cinder-backup-rbd-keyring
+    volume: cinder-volume-rbd-keyring
+    volume_external: cinder-volume-external-rbd-keyring
+  oslo_messaging:
+    admin: cinder-rabbitmq-admin
+    cinder: cinder-rabbitmq-user
+  tls:
+    volumev3:
+      api:
+        public: cinder-tls-public
+        internal: cinder-tls-api
+  oci_image_registry:
+    cinder: cinder-oci-image-registry
+
+# We use a different layout of the endpoints here to account for versioning
+# this swaps the service name and type, and should be rolled out to other
+# services.
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      cinder:
+        username: cinder
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      cinder:
+        role: admin
+        region_name: RegionOne
+        username: cinder
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      test:
+        role: admin
+        region_name: RegionOne
+        username: cinder-test
+        password: password
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  image:
+    name: glance
+    hosts:
+      default: glance-api
+      public: glance
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: http
+    port:
+      api:
+        default: 9292
+        public: 80
+  volumev3:
+    name: cinder
+    hosts:
+      default: cinder-api
+      public: cinder
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: '/v3/%(tenant_id)s'
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8776
+        public: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      cinder:
+        username: cinder
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /cinder
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
+      cinder:
+        username: cinder
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /cinder
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+network_policy:
+  cinder:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  cron_volume_usage_audit: true
+  deployment_api: true
+  deployment_backup: true
+  deployment_scheduler: true
+  deployment_volume: true
+  ingress_api: true
+  job_backup_storage_init: true
+  job_bootstrap: true
+  job_clean: true
+  job_create_internal_tenant: true
+  job_db_init: true
+  job_image_repo_sync: true
+  job_rabbit_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  job_storage_init: true
+  pdb_api: true
+  pod_rally_test: true
+  pvc_backup: true
+  network_policy: false
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  secret_registry: true
+  service_api: true
+  service_ingress_api: true
+...
diff --git a/charts/designate/Chart.yaml b/charts/designate/Chart.yaml
new file mode 100644
index 0000000..3aeec68
--- /dev/null
+++ b/charts/designate/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Designate
+home: https://docs.openstack.org/designate/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Designate/OpenStack_Project_Designate_vertical.jpg
+maintainers:
+- name: OpenStack-Helm Authors
+name: designate
+sources:
+- https://opendev.org/openstack/designate
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.7
diff --git a/charts/designate/charts/helm-toolkit/Chart.yaml b/charts/designate/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..e79632a
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.49
diff --git a/charts/designate/charts/helm-toolkit/requirements.yaml b/charts/designate/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..f05f7b7
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/designate/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_template.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/values.yaml b/charts/designate/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/designate/requirements.lock b/charts/designate/requirements.lock
new file mode 100644
index 0000000..b701966
--- /dev/null
+++ b/charts/designate/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.49
+digest: sha256:17c2ccd48a8f79f15fc2fe5a59a1e0330cd6d0010ab5cc81a81575db31377a32
+generated: "2022-11-22T20:12:42.414567937Z"
diff --git a/charts/designate/requirements.yaml b/charts/designate/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/designate/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/designate/templates/bin/_bootstrap.sh.tpl b/charts/designate/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..42ddf64
--- /dev/null
+++ b/charts/designate/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/designate/templates/bin/_db-sync.sh.tpl b/charts/designate/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..dfa8bde
--- /dev/null
+++ b/charts/designate/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+designate-manage database sync
+
diff --git a/charts/designate/templates/bin/_designate-api.sh.tpl b/charts/designate/templates/bin/_designate-api.sh.tpl
new file mode 100644
index 0000000..c1dfa37
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-api.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec designate-api \
+      --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-central.sh.tpl b/charts/designate/templates/bin/_designate-central.sh.tpl
new file mode 100644
index 0000000..b684b46
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-central.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec designate-central \
+      --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-mdns.sh.tpl b/charts/designate/templates/bin/_designate-mdns.sh.tpl
new file mode 100644
index 0000000..6770894
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-mdns.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  designate-mdns \
+      --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-producer.sh.tpl b/charts/designate/templates/bin/_designate-producer.sh.tpl
new file mode 100644
index 0000000..b2b9efc
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-producer.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  designate-producer --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-sink.sh.tpl b/charts/designate/templates/bin/_designate-sink.sh.tpl
new file mode 100644
index 0000000..d552f8b
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-sink.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+COMMAND="${@:-start}"
+  exec designate-sink \
+      --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-worker.sh.tpl b/charts/designate/templates/bin/_designate-worker.sh.tpl
new file mode 100644
index 0000000..38e8fad
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-worker.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  designate-worker \
+      --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/configmap-bin.yaml b/charts/designate/templates/configmap-bin.yaml
new file mode 100644
index 0000000..2d93be0
--- /dev/null
+++ b/charts/designate/templates/configmap-bin.yaml
@@ -0,0 +1,50 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.configmap_bin }}
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: designate-bin
+data:
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |+
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  ks-service.sh: |+
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |+
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |+
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  designate-api.sh: |
+{{ tuple "bin/_designate-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  designate-central.sh: |
+{{ tuple "bin/_designate-central.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  designate-mdns.sh: |
+{{ tuple "bin/_designate-mdns.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  designate-worker.sh: |
+{{ tuple "bin/_designate-worker.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  designate-producer.sh: |
+{{ tuple "bin/_designate-producer.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  designate-sink.sh: |
+{{ tuple "bin/_designate-sink.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+
+{{- end }}
diff --git a/charts/designate/templates/configmap-etc.yaml b/charts/designate/templates/configmap-etc.yaml
new file mode 100644
index 0000000..dd1d4a2
--- /dev/null
+++ b/charts/designate/templates/configmap-etc.yaml
@@ -0,0 +1,81 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.configmap_etc }}
+
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "region_name" .Values.endpoints.identity.auth.designate.region_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "project_name" .Values.endpoints.identity.auth.designate.project_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.designate.project_domain_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.designate.user_domain_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "username" .Values.endpoints.identity.auth.designate.username -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "password" .Values.endpoints.identity.auth.designate.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty (index .Values.conf.designate "storage:sqlalchemy").connection -}}
+{{- $_ := tuple "oslo_db" "internal" "designate" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set (index .Values.conf.designate "storage:sqlalchemy") "connection" -}}
+{{- $_ := tuple "oslo_db" "internal" "designate" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.designate.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "designate" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.designate.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty (index .Values.conf.designate "service:api").api_base_uri -}}
+{{- $_ := tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set (index .Values.conf.designate "service:api") "api_base_uri" -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: designate-etc
+type: Opaque
+data:
+  designate.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.designate | b64enc }}
+  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.pools "key" "pools.yaml" "format" "Secret" ) | indent 2 }}
+
+{{- end }}
diff --git a/charts/designate/templates/deployment-api.yaml b/charts/designate/templates/deployment-api.yaml
new file mode 100644
index 0000000..b6680d8
--- /dev/null
+++ b/charts/designate/templates/deployment-api.yaml
@@ -0,0 +1,116 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_api }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_api := .Values.pod.mounts.designate_api.designate_api }}
+{{- $mounts_designate_api_init := .Values.pod.mounts.designate_api.init_container }}
+
+{{- $serviceAccountName := "designate-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: designate-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "designate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_designate_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: designate-api
+{{ tuple $envAll "designate_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/designate-api.sh
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/designate-api.sh
+                  - stop
+          ports:
+            - name: dns-api
+              containerPort: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            httpGet:
+              scheme: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: designate-bin
+              mountPath: /tmp/designate-api.sh
+              subPath: designate-api.sh
+              readOnly: true
+            - name: pod-etc-designate
+              mountPath: /etc/designate
+            - name: pod-var-cache-designate
+              mountPath: /var/cache/designate
+            - name: designate-etc
+              mountPath: /etc/designate/designate.conf
+              subPath: designate.conf
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+            - name: designate-etc
+              mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_designate_api.volumeMounts }}{{ toYaml $mounts_designate_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-designate
+          emptyDir: {}
+        - name: pod-var-cache-designate
+          emptyDir: {}
+        - name: designate-bin
+          configMap:
+            name: designate-bin
+            defaultMode: 0555
+        - name: designate-etc
+          secret:
+            secretName: designate-etc
+            defaultMode: 0444
+{{ if $mounts_designate_api.volumes }}{{ toYaml $mounts_designate_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-central.yaml b/charts/designate/templates/deployment-central.yaml
new file mode 100644
index 0000000..02d9f3c
--- /dev/null
+++ b/charts/designate/templates/deployment-central.yaml
@@ -0,0 +1,101 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_central }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_central := .Values.pod.mounts.designate_central.designate_central }}
+{{- $mounts_designate_central_init := .Values.pod.mounts.designate_central.init_container }}
+
+{{- $serviceAccountName := "designate-central" }}
+{{ tuple $envAll "central" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: designate-central
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.central }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.central.node_selector_key }}: {{ .Values.labels.central.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "central" $mounts_designate_central_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: designate-central
+{{ tuple $envAll "designate_central" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.central | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_central" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - bash
+            - /tmp/designate-central.sh
+          volumeMounts:
+            - name: designate-bin
+              mountPath: /tmp/designate-central.sh
+              subPath: designate-central.sh
+              readOnly: true
+            - name: pod-etc-designate
+              mountPath: /etc/designate
+            - name: pod-var-cache-designate
+              mountPath: /var/cache/designate
+            - name: designate-etc
+              mountPath: /etc/designate/designate.conf
+              subPath: designate.conf
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+            - name: designate-etc
+              mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_designate_central.volumeMounts }}{{ toYaml $mounts_designate_central.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-designate
+          emptyDir: {}
+        - name: pod-var-cache-designate
+          emptyDir: {}
+        - name: designate-bin
+          configMap:
+            name: designate-bin
+            defaultMode: 0555
+        - name: designate-etc
+          secret:
+            secretName: designate-etc
+            defaultMode: 0444
+{{ if $mounts_designate_central.volumes }}{{ toYaml $mounts_designate_central.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-mdns.yaml b/charts/designate/templates/deployment-mdns.yaml
new file mode 100644
index 0000000..d58f630
--- /dev/null
+++ b/charts/designate/templates/deployment-mdns.yaml
@@ -0,0 +1,112 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_mdns }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_mdns := .Values.pod.mounts.designate_mdns.designate_mdns }}
+{{- $mounts_designate_mdns_init := .Values.pod.mounts.designate_mdns.init_container }}
+
+{{- $serviceAccountName := "designate-mdns" }}
+{{ tuple $envAll "mdns" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: designate-mdns
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.mdns }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "designate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.mdns.node_selector_key }}: {{ .Values.labels.mdns.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.mdns.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "mdns" $mounts_designate_mdns_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: designate-mdns
+{{ tuple $envAll "designate_mdns" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.mdns | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_mdns" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          ports:
+            - name: d-mdns
+              containerPort: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            - name: d-mdns-udp
+              containerPort: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              protocol: UDP
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          command:
+            - bash
+            - /tmp/designate-mdns.sh
+          volumeMounts:
+            - name: designate-bin
+              mountPath: /tmp/designate-mdns.sh
+              subPath: designate-mdns.sh
+              readOnly: true
+            - name: pod-etc-designate
+              mountPath: /etc/designate
+            - name: pod-var-cache-designate
+              mountPath: /var/cache/designate
+            - name: designate-etc
+              mountPath: /etc/designate/designate.conf
+              subPath: designate.conf
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+            - name: designate-etc
+              mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_designate_mdns.volumeMounts }}{{ toYaml $mounts_designate_mdns.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-designate
+          emptyDir: {}
+        - name: pod-var-cache-designate
+          emptyDir: {}
+        - name: designate-bin
+          configMap:
+            name: designate-bin
+            defaultMode: 0555
+        - name: designate-etc
+          secret:
+            secretName: designate-etc
+            defaultMode: 0444
+{{ if $mounts_designate_mdns.volumes }}{{ toYaml $mounts_designate_mdns.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-producer.yaml b/charts/designate/templates/deployment-producer.yaml
new file mode 100644
index 0000000..491dbad
--- /dev/null
+++ b/charts/designate/templates/deployment-producer.yaml
@@ -0,0 +1,101 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_producer }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_producer := .Values.pod.mounts.designate_producer.designate_producer }}
+{{- $mounts_designate_producer_init := .Values.pod.mounts.designate_producer.init_container }}
+
+{{- $serviceAccountName := "designate-producer" }}
+{{ tuple $envAll "producer" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: designate-producer
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.producer }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.producer.node_selector_key }}: {{ .Values.labels.producer.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "producer" $mounts_designate_producer_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: designate-producer
+{{ tuple $envAll "designate_producer" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.producer | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_producer" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - bash
+            - /tmp/designate-producer.sh
+          volumeMounts:
+            - name: designate-bin
+              mountPath: /tmp/designate-producer.sh
+              subPath: designate-producer.sh
+              readOnly: true
+            - name: pod-etc-designate
+              mountPath: /etc/designate
+            - name: pod-var-cache-designate
+              mountPath: /var/cache/designate
+            - name: designate-etc
+              mountPath: /etc/designate/designate.conf
+              subPath: designate.conf
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+            - name: designate-etc
+              mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_designate_producer.volumeMounts }}{{ toYaml $mounts_designate_producer.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-designate
+          emptyDir: {}
+        - name: pod-var-cache-designate
+          emptyDir: {}
+        - name: designate-bin
+          configMap:
+            name: designate-bin
+            defaultMode: 0555
+        - name: designate-etc
+          secret:
+            secretName: designate-etc
+            defaultMode: 0444
+{{ if $mounts_designate_producer.volumes }}{{ toYaml $mounts_designate_producer.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-sink.yaml b/charts/designate/templates/deployment-sink.yaml
new file mode 100644
index 0000000..e577d9d
--- /dev/null
+++ b/charts/designate/templates/deployment-sink.yaml
@@ -0,0 +1,97 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_sink }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_sink := .Values.pod.mounts.designate_sink.designate_sink }}
+{{- $mounts_designate_sink_init := .Values.pod.mounts.designate_sink.init_container }}
+
+{{- $serviceAccountName := "designate-sink" }}
+{{ tuple $envAll "sink" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: designate-sink
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.sink }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.sink.node_selector_key }}: {{ .Values.labels.sink.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "sink" $mounts_designate_sink_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: designate-sink
+{{ tuple $envAll "designate_sink" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.sink | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_sink" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - bash
+            - /tmp/designate-sink.sh
+          volumeMounts:
+            - name: designate-bin
+              mountPath: /tmp/designate-sink.sh
+              subPath: designate-sink.sh
+              readOnly: true
+            - name: pod-etc-designate
+              mountPath: /etc/designate
+            - name: pod-var-cache-designate
+              mountPath: /var/cache/designate
+            - name: designate-etc
+              mountPath: /etc/designate/designate.conf
+              subPath: designate.conf
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+            - name: designate-etc
+              mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_designate_sink.volumeMounts }}{{ toYaml $mounts_designate_sink.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-designate
+          emptyDir: {}
+        - name: pod-var-cache-designate
+          emptyDir: {}
+        - name: designate-bin
+          configMap:
+            name: designate-bin
+            defaultMode: 0555
+        - name: designate-etc
+          secret:
+            secretName: designate-etc
+            defaultMode: 0444
+{{ if $mounts_designate_sink.volumes }}{{ toYaml $mounts_designate_sink.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-worker.yaml b/charts/designate/templates/deployment-worker.yaml
new file mode 100644
index 0000000..74f9c99
--- /dev/null
+++ b/charts/designate/templates/deployment-worker.yaml
@@ -0,0 +1,126 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_worker }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_worker := .Values.pod.mounts.designate_worker.designate_worker }}
+{{- $mounts_designate_worker_init := .Values.pod.mounts.designate_worker.init_container }}
+
+{{- $serviceAccountName := "designate-worker" }}
+{{ tuple $envAll "worker" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: designate-worker
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.worker }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.worker.node_selector_key }}: {{ .Values.labels.worker.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "worker" $mounts_designate_worker_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: designate-worker-init
+{{ tuple $envAll "designate_worker" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - bash
+            - -c
+            - 'eval "echo \"$(cat /tmp/designate_pools.template)\"" > /etc/designate/pools.yaml && designate-manage pool update'
+          volumeMounts:
+            - name: designate-etc
+              mountPath: /tmp/designate_pools.template
+              subPath: pools.yaml
+              readOnly: true
+            - name: pod-etc-designate
+              mountPath: /etc/designate
+            - name: designate-etc
+              mountPath: /etc/designate/designate.conf
+              subPath: designate.conf
+              readOnly: true
+            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+            - name: designate-etc
+              mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_designate_worker.volumeMounts }}{{ toYaml $mounts_designate_worker.volumeMounts | indent 12 }}{{ end }}
+      containers:
+        - name: designate-worker
+{{ tuple $envAll "designate_worker" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_worker" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - bash
+            - /tmp/designate-worker.sh
+          volumeMounts:
+            - name: designate-bin
+              mountPath: /tmp/designate-worker.sh
+              subPath: designate-worker.sh
+              readOnly: true
+            - name: pod-etc-designate
+              mountPath: /etc/designate
+            - name: pod-var-cache-designate
+              mountPath: /var/cache/designate
+            - name: designate-etc
+              mountPath: /etc/designate/designate.conf
+              subPath: designate.conf
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: designate-etc
+              mountPath: /etc/designate/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+            - name: designate-etc
+              mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_designate_worker.volumeMounts }}{{ toYaml $mounts_designate_worker.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-designate
+          emptyDir: {}
+        - name: pod-var-cache-designate
+          emptyDir: {}
+        - name: designate-bin
+          configMap:
+            name: designate-bin
+            defaultMode: 0555
+        - name: designate-etc
+          secret:
+            secretName: designate-etc
+            defaultMode: 0444
+{{ if $mounts_designate_worker.volumes }}{{ toYaml $mounts_designate_worker.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/ingress-api.yaml b/charts/designate/templates/ingress-api.yaml
new file mode 100644
index 0000000..9b0a3b1
--- /dev/null
+++ b/charts/designate/templates/ingress-api.yaml
@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.ingress_api }}
+
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "dns" "backendPort" "dns-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-bootstrap.yaml b/charts/designate/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..dc4350e
--- /dev/null
+++ b/charts/designate/templates/job-bootstrap.yaml
@@ -0,0 +1,58 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.job_bootstrap }}
+
+{{- $envAll := . }}
+{{- if .Values.bootstrap.enabled }}
+{{- $mounts_designate_bootstrap := .Values.pod.mounts.designate_bootstrap.designate_bootstrap }}
+{{- $mounts_designate_bootstrap_init := .Values.pod.mounts.designate_bootstrap.init_container }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: designate-bootstrap
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "designate" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "bootstrap" $mounts_designate_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: designate-bootstrap
+          image: {{ .Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: designate-bin
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+{{ if $mounts_designate_bootstrap.volumeMounts }}{{ toYaml $mounts_designate_bootstrap.volumeMounts | indent 10 }}{{ end }}
+      volumes:
+        - name: designate-bin
+          configMap:
+            name: designate-bin
+            defaultMode: 0555
+{{ if $mounts_designate_bootstrap.volumes }}{{ toYaml $mounts_designate_bootstrap.volumes | indent 6 }}{{ end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/job-db-init.yaml b/charts/designate/templates/job-db-init.yaml
new file mode 100644
index 0000000..1030d86
--- /dev/null
+++ b/charts/designate/templates/job-db-init.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+
+{{- $dbInitJob := dict "envAll" . "serviceName" "designate" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-db-sync.yaml b/charts/designate/templates/job-db-sync.yaml
new file mode 100644
index 0000000..7765114
--- /dev/null
+++ b/charts/designate/templates/job-db-sync.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+
+{{- $dbSyncJob := dict "envAll" . "serviceName" "designate" "podVolMounts" .Values.pod.mounts.designate_db_sync.designate_db_sync.volumeMounts "podVols" .Values.pod.mounts.designate_db_sync.designate_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-ks-endpoints.yaml b/charts/designate/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..b1f3c1f
--- /dev/null
+++ b/charts/designate/templates/job-ks-endpoints.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+
+{{- $ksServiceJob := dict "envAll" . "serviceName" "designate" "serviceTypes" ( tuple "dns" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-ks-service.yaml b/charts/designate/templates/job-ks-service.yaml
new file mode 100644
index 0000000..b7fc4b5
--- /dev/null
+++ b/charts/designate/templates/job-ks-service.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+
+{{- $ksServiceJob := dict "envAll" . "serviceName" "designate" "serviceTypes" ( tuple "dns" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+
+ {{- end }}
diff --git a/charts/designate/templates/job-ks-user.yaml b/charts/designate/templates/job-ks-user.yaml
new file mode 100644
index 0000000..081f013
--- /dev/null
+++ b/charts/designate/templates/job-ks-user.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# $% What does following represent?
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+
+{{- $ksUserJob := dict "envAll" . "serviceName" "designate" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-rabbit-init.yaml b/charts/designate/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..fc6e707
--- /dev/null
+++ b/charts/designate/templates/job-rabbit-init.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "designate" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/designate/templates/pdb-api.yaml b/charts/designate/templates/pdb-api.yaml
new file mode 100644
index 0000000..31c1532
--- /dev/null
+++ b/charts/designate/templates/pdb-api.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_api }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: designate-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+      app: designate-api
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/designate/templates/pdb-central.yaml b/charts/designate/templates/pdb-central.yaml
new file mode 100644
index 0000000..54b8139
--- /dev/null
+++ b/charts/designate/templates/pdb-central.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_central }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: designate-central
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.central.min_available }}
+  selector:
+    matchLabels:
+      app: designate-central
+{{- end }}
diff --git a/charts/designate/templates/pdb-mdns.yaml b/charts/designate/templates/pdb-mdns.yaml
new file mode 100644
index 0000000..b14861c
--- /dev/null
+++ b/charts/designate/templates/pdb-mdns.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_mdns }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: designate-mdns
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.mdns.min_available }}
+  selector:
+    matchLabels:
+      app: designate-mdns
+{{- end }}
diff --git a/charts/designate/templates/pdb-producer.yaml b/charts/designate/templates/pdb-producer.yaml
new file mode 100644
index 0000000..6fa2450
--- /dev/null
+++ b/charts/designate/templates/pdb-producer.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_producer }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: designate-producer
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.producer.min_available }}
+  selector:
+    matchLabels:
+      app: designate-producer
+{{- end }}
diff --git a/charts/designate/templates/pdb-sink.yaml b/charts/designate/templates/pdb-sink.yaml
new file mode 100644
index 0000000..27acd0a
--- /dev/null
+++ b/charts/designate/templates/pdb-sink.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_sink }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: designate-sink
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.sink.min_available }}
+  selector:
+    matchLabels:
+      app: designate-sink
+{{- end }}
diff --git a/charts/designate/templates/pdb-worker.yaml b/charts/designate/templates/pdb-worker.yaml
new file mode 100644
index 0000000..8af1ca4
--- /dev/null
+++ b/charts/designate/templates/pdb-worker.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_worker }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: designate-worker
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.worker.min_available }}
+  selector:
+    matchLabels:
+      app: designate-worker
+{{- end }}
diff --git a/charts/designate/templates/secret-db.yaml b/charts/designate/templates/secret-db.yaml
new file mode 100644
index 0000000..c37b96e
--- /dev/null
+++ b/charts/designate/templates/secret-db.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.secret_db }}
+
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "designate" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/secret-ingress-tls.yaml b/charts/designate/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..a5909b1
--- /dev/null
+++ b/charts/designate/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "dns" ) }}
+{{- end }}
diff --git a/charts/designate/templates/secret-keystone.yaml b/charts/designate/templates/secret-keystone.yaml
new file mode 100644
index 0000000..5c3d956
--- /dev/null
+++ b/charts/designate/templates/secret-keystone.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.secret_keystone }}
+
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "designate" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/secret-rabbitmq.yaml b/charts/designate/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..01c8362
--- /dev/null
+++ b/charts/designate/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "designate" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/secret-registry.yaml b/charts/designate/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/designate/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/designate/templates/service-api.yaml b/charts/designate/templates/service-api.yaml
new file mode 100644
index 0000000..8a26cb6
--- /dev/null
+++ b/charts/designate/templates/service-api.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.service_api }}
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "dns" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: dns-api
+      port: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+  selector:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/designate/templates/service-ingress-api.yaml b/charts/designate/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..7e12fd2
--- /dev/null
+++ b/charts/designate/templates/service-ingress-api.yaml
@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.service_ingress_api }}
+
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "dns" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+
+{{- end }}
diff --git a/charts/designate/templates/service-mdns.yaml b/charts/designate/templates/service-mdns.yaml
new file mode 100644
index 0000000..ced9fd6
--- /dev/null
+++ b/charts/designate/templates/service-mdns.yaml
@@ -0,0 +1,35 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.service_mdns }}
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "mdns" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: d-mdns
+      port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    - name: d-mdns-udp
+      port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      protocol: UDP
+  selector:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.mdns.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.mdns.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/designate/values.yaml b/charts/designate/values.yaml
new file mode 100644
index 0000000..7abd43d
--- /dev/null
+++ b/charts/designate/values.yaml
@@ -0,0 +1,851 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for designate.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  central:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  producer:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  worker:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  mdns:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  sink:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  tags:
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    designate_db_sync: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+    designate_api: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+    designate_central: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+    designate_mdns: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+    designate_worker: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+    designate_producer: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+    designate_sink: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+pod:
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  mounts:
+    designate_api:
+      init_container: null
+      designate_api:
+        volumeMounts:
+        volumes:
+    designate_central:
+      init_container: null
+      designate_central:
+        volumeMounts:
+        volumes:
+    designate_mdns:
+      init_container: null
+      designate_mdns:
+        volumeMounts:
+        volumes:
+    designate_worker:
+      init_container: null
+      designate_worker:
+        volumeMounts:
+        volumes:
+    designate_producer:
+      init_container: null
+      designate_producer:
+        volumeMounts:
+        volumes:
+    designate_sink:
+      init_container: null
+      designate_sink:
+        volumeMounts:
+        volumes:
+    designate_db_sync:
+      designate_db_sync:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+    central: 1
+    mdns: 1
+    producer: 1
+    sink: 1
+    worker: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+      central:
+        min_available: 0
+      mdns:
+        min_available: 0
+      worker:
+        min_available: 0
+      producer:
+        min_available: 0
+      sink:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+      mdns:
+        timeout: 30
+
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 9001
+  mdns:
+    name: "designate-mdns"
+    proto: "http"
+    external_policy_local: false
+    node_port:
+      enabled: true
+      port: 5354
+
+bootstrap:
+  enabled: false
+  script: |
+    openstack token issue
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - designate-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+    job_rabbit_init:
+      api:
+        jobs:
+          - designate-rabbit-init
+      sink:
+        jobs:
+          - designate-rabbit-init
+      central:
+        jobs:
+          - designate-rabbit-init
+      worker:
+        jobs:
+          - designate-rabbit-init
+  static:
+    db_init:
+      services:
+        - service: oslo_db
+          endpoint: internal
+    db_sync:
+      jobs:
+        - designate-db-init
+      services:
+        - service: oslo_db
+          endpoint: internal
+    ks_user:
+      services:
+        - service: identity
+          endpoint: internal
+    ks_service:
+      services:
+        - service: identity
+          endpoint: internal
+    ks_endpoints:
+      jobs:
+        - designate-ks-service
+      services:
+        - service: identity
+          endpoint: internal
+    rabbit_init:
+      services:
+        - service: oslo_messaging
+          endpoint: internal
+    api:
+      jobs:
+        - designate-db-sync
+        - designate-ks-user
+        - designate-ks-endpoints
+      service:
+        - service: oslo_db
+          endpoint: internal
+        - service: identity
+          endpoint: internal
+        - service: oslo_messaging
+          endpoint: internal
+    central:
+      jobs:
+        - designate-db-sync
+        - designate-ks-user
+        - designate-ks-endpoints
+      service:
+        - service: oslo_db
+          endpoint: internal
+        - service: identity
+          endpoint: internal
+        - service: oslo_messaging
+          endpoint: internal
+    worker:
+      jobs:
+        - designate-db-sync
+        - designate-ks-user
+        - designate-ks-endpoints
+      services:
+        - service: oslo_db
+          endpoint: internal
+        - service: identity
+          endpoint: internal
+        - service: mdns
+          endpoint: internal
+    mdns:
+      jobs:
+        - designate-db-sync
+        - designate-ks-user
+        - designate-ks-endpoints
+      services:
+        - service: oslo_db
+          endpoint: internal
+        - service: identity
+          endpoint: internal
+    producer:
+      jobs:
+        - designate-db-sync
+        - designate-ks-user
+        - designate-ks-endpoints
+      services:
+        - service: oslo_db
+          endpoint: internal
+        - service: identity
+          endpoint: internal
+    sink:
+      jobs:
+        - designate-db-sync
+        - designate-ks-user
+        - designate-ks-endpoints
+      services:
+        - service: oslo_db
+          endpoint: internal
+        - service: identity
+          endpoint: internal
+
+conf:
+  pools: |
+    - name: default
+      # The name is immutable. There will be no option to change the name after
+      # creation and the only way will to change it will be to delete it
+      # (and all zones associated with it) and recreate it.
+      description: Default Pool
+
+      attributes: {}
+
+      # List out the NS records for zones hosted within this pool
+      # This should be a record that is created outside of designate, that
+      # points to the public IP of the controller node.
+      ns_records:
+        - hostname: {{ printf "ns.%s.svc.%s." .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+          priority: 1
+
+      # List out the nameservers for this pool. These are the actual DNS servers.
+      # We use these to verify changes have propagated to all nameservers.
+      nameservers:
+        - host: ${POWERDNS_SERVICE_HOST}
+          port: {{ tuple "powerdns" "internal" "powerdns" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+      # List out the targets for this pool. For BIND there will be one
+      # entry for each BIND server, as we have to run rndc command on each server
+      targets:
+        - type: pdns4
+          description: PowerDNS Server
+
+          # List out the designate-mdns servers from which PowerDNS servers should
+          # request zone transfers (AXFRs) from.
+          # This should be the IP of the controller node.
+          # If you have multiple controllers you can add multiple masters
+          # by running designate-mdns on them, and adding them here.
+          masters:
+            - host: ${MINIDNS_SERVICE_HOST}
+              port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+          # PowerDNS Configuration options
+          options:
+            host: ${POWERDNS_SERVICE_HOST}
+            port: {{ tuple "powerdns" "internal" "powerdns" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            api_endpoint: http://${POWERDNS_SERVICE_HOST}:{{ tuple "powerdns" "internal" "powerdns_api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            api_token: {{ tuple "powerdns" "service" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+  paste:
+    composite:osapi_dns:
+      use: egg:Paste#urlmap
+      /: osapi_dns_versions
+      /v2: osapi_dns_v2
+      /admin: osapi_dns_admin
+    composite:osapi_dns_versions:
+      use: call:designate.api.middleware:auth_pipeline_factory
+      noauth: http_proxy_to_wsgi cors maintenance faultwrapper osapi_dns_app_versions
+      keystone: http_proxy_to_wsgi cors maintenance faultwrapper osapi_dns_app_versions
+    app:osapi_dns_app_versions:
+      paste.app_factory: designate.api.versions:factory
+    composite:osapi_dns_v2:
+      use: call:designate.api.middleware:auth_pipeline_factory
+      noauth: http_proxy_to_wsgi cors request_id faultwrapper validation_API_v2 noauthcontext maintenance normalizeuri osapi_dns_app_v2
+      keystone: http_proxy_to_wsgi cors request_id faultwrapper validation_API_v2 authtoken keystonecontext maintenance normalizeuri osapi_dns_app_v2
+    app:osapi_dns_app_v2:
+      paste.app_factory: designate.api.v2:factory
+    composite:osapi_dns_admin:
+      use: call:designate.api.middleware:auth_pipeline_factory
+      noauth: http_proxy_to_wsgi cors request_id faultwrapper noauthcontext maintenance normalizeuri osapi_dns_app_admin
+      keystone: http_proxy_to_wsgi cors request_id faultwrapper authtoken keystonecontext maintenance normalizeuri osapi_dns_app_admin
+    app:osapi_dns_app_admin:
+      paste.app_factory: designate.api.admin:factory
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: designate
+    filter:request_id:
+      paste.filter_factory: oslo_middleware:RequestId.factory
+    filter:http_proxy_to_wsgi:
+      paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+    filter:noauthcontext:
+      paste.filter_factory: designate.api.middleware:NoAuthContextMiddleware.factory
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:keystonecontext:
+      paste.filter_factory: designate.api.middleware:KeystoneContextMiddleware.factory
+    filter:maintenance:
+      paste.filter_factory: designate.api.middleware:MaintenanceMiddleware.factory
+    filter:normalizeuri:
+      paste.filter_factory: designate.api.middleware:NormalizeURIMiddleware.factory
+    filter:faultwrapper:
+      paste.filter_factory: designate.api.middleware:FaultWrapperMiddleware.factory
+    filter:validation_API_v2:
+      paste.filter_factory: designate.api.middleware:APIv2ValidationErrorMiddleware.factory
+  policy:
+    admin: role:admin or is_admin:True
+    primary_zone: target.zone_type:SECONDARY
+    owner: tenant:%(tenant_id)s
+    admin_or_owner: rule:admin or rule:owner
+    target: tenant:%(target_tenant_id)s
+    owner_or_target: rule:target or rule:owner
+    admin_or_owner_or_target: rule:owner_or_target or rule:admin
+    admin_or_target: rule:admin or rule:target
+    zone_primary_or_admin: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)
+    default: rule:admin_or_owner
+    all_tenants: rule:admin
+    edit_managed_records: rule:admin
+    use_low_ttl: rule:admin
+    get_quotas: rule:admin_or_owner
+    get_quota: rule:admin_or_owner
+    set_quota: rule:admin
+    reset_quotas: rule:admin
+    create_tld: rule:admin
+    find_tlds: rule:admin
+    get_tld: rule:admin
+    update_tld: rule:admin
+    delete_tld: rule:admin
+    create_tsigkey: rule:admin
+    find_tsigkeys: rule:admin
+    get_tsigkey: rule:admin
+    update_tsigkey: rule:admin
+    delete_tsigkey: rule:admin
+    find_tenants: rule:admin
+    get_tenant: rule:admin
+    count_tenants: rule:admin
+    create_zone: rule:admin_or_owner
+    get_zones: rule:admin_or_owner
+    get_zone: rule:admin_or_owner
+    get_zone_servers: rule:admin_or_owner
+    find_zones: rule:admin_or_owner
+    find_zone: rule:admin_or_owner
+    update_zone: rule:admin_or_owner
+    delete_zone: rule:admin_or_owner
+    xfr_zone: rule:admin_or_owner
+    abandon_zone: rule:admin
+    count_zones: rule:admin_or_owner
+    count_zones_pending_notify: rule:admin_or_owner
+    purge_zones: rule:admin
+    touch_zone: rule:admin_or_owner
+    create_recordset: rule:zone_primary_or_admin
+    get_recordsets: rule:admin_or_owner
+    get_recordset: rule:admin_or_owner
+    find_recordsets: rule:admin_or_owner
+    find_recordset: rule:admin_or_owner
+    update_recordset: rule:zone_primary_or_admin
+    delete_recordset: rule:zone_primary_or_admin
+    count_recordset: rule:admin_or_owner
+    create_record: rule:admin_or_owner
+    get_records: rule:admin_or_owner
+    get_record: rule:admin_or_owner
+    find_records: rule:admin_or_owner
+    find_record: rule:admin_or_owner
+    update_record: rule:admin_or_owner
+    delete_record: rule:admin_or_owner
+    count_records: rule:admin_or_owner
+    use_sudo: rule:admin
+    create_blacklist: rule:admin
+    find_blacklist: rule:admin
+    find_blacklists: rule:admin
+    get_blacklist: rule:admin
+    update_blacklist: rule:admin
+    delete_blacklist: rule:admin
+    use_blacklisted_zone: rule:admin
+    create_pool: rule:admin
+    find_pools: rule:admin
+    find_pool: rule:admin
+    get_pool: rule:admin
+    update_pool: rule:admin
+    delete_pool: rule:admin
+    zone_create_forced_pool: rule:admin
+    diagnostics_ping: rule:admin
+    diagnostics_sync_zones: rule:admin
+    diagnostics_sync_zone: rule:admin
+    diagnostics_sync_record: rule:admin
+    create_zone_transfer_request: rule:admin_or_owner
+    get_zone_transfer_request: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
+    get_zone_transfer_request_detailed: rule:admin_or_owner
+    find_zone_transfer_requests: '@'
+    find_zone_transfer_request: '@'
+    update_zone_transfer_request: rule:admin_or_owner
+    delete_zone_transfer_request: rule:admin_or_owner
+    create_zone_transfer_accept: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
+    get_zone_transfer_accept: rule:admin_or_owner
+    find_zone_transfer_accepts: rule:admin
+    find_zone_transfer_accept: rule:admin
+    update_zone_transfer_accept: rule:admin
+    delete_zone_transfer_accept: rule:admin
+    create_zone_import: rule:admin_or_owner
+    find_zone_imports: rule:admin_or_owner
+    get_zone_import: rule:admin_or_owner
+    update_zone_import: rule:admin_or_owner
+    delete_zone_import: rule:admin_or_owner
+    zone_export: rule:admin_or_owner
+    create_zone_export: rule:admin_or_owner
+    find_zone_exports: rule:admin_or_owner
+    get_zone_export: rule:admin_or_owner
+    update_zone_export: rule:admin_or_owner
+    find_service_status: rule:admin
+    find_service_statuses: rule:admin
+    update_service_service_status: rule:admin
+  designate:
+    DEFAULT:
+      debug: false
+      log_config_append: /etc/designate/logging.conf
+    service:api:
+      auth_strategy: keystone
+      enable_api_v2: true
+      enable_api_admin: true
+      enabled_extensions_v2: quotas,reports
+      workers: 2
+    service:worker:
+      enabled: true
+      notify: false
+    oslo_middleware:
+      enable_proxy_headers_parsing: true
+    oslo_policy:
+      policy_file: /etc/designate/policy.yaml
+    database:
+      max_retries: -1
+    storage:sqlalchemy:
+      max_retries: -1
+    keystone_authtoken:
+      auth_version: v3
+      auth_type: password
+      memcache_security_strategy: ENCRYPT
+  logging:
+    loggers:
+      keys:
+        - root
+        - designate
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_designate:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: designate
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: designate-keystone-admin
+    designate: designate-keystone-user
+    test: designate-keystone-test
+  oslo_db:
+    admin: designate-db-admin
+    designate: designate-db-user
+  oslo_messaging:
+    admin: designate-rabbitmq-admin
+    designate: designate-rabbitmq-user
+  tls:
+    dns:
+      api:
+        public: designate-tls-public
+  oci_image_registry:
+    designate: designate-oci-image-registry
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      designate:
+        username: designate
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      designate:
+        role: admin
+        region_name: RegionOne
+        username: designate
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      test:
+        role: admin
+        region_name: RegionOne
+        username: designate-test
+        password: password
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  dns:
+    name: designate
+    hosts:
+      default: designate-api
+      public: designate
+    host_fqdn_override:
+      default: null
+    path:
+      default: /
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 9001
+        public: 80
+  mdns:
+    name: minidns
+    hosts:
+      default: minidns
+      public: designate-mdns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: 'tcp'
+    port:
+      ipc:
+        default: 5354
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+      designate:
+        username: designate
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /designate
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_cache:
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+    auth:
+      # NOTE: this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+      designate:
+        username: designate
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /designate
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  powerdns:
+    auth:
+      service:
+        token: chiave_segreta
+    hosts:
+      default: powerdns
+    host_fqdn_override:
+      default: null
+    port:
+      powerdns_api:
+        default: 8081
+      powerdns:
+        default: 53
+
+manifests:
+  configmap_bin: true
+  configmap_etc: true
+  deployment_api: true
+  deployment_central: true
+  deployment_worker: true
+  deployment_producer: true
+  deployment_mdns: true
+  deployment_sink: false
+  ingress_api: true
+  job_bootstrap: true
+  job_db_init: true
+  job_db_sync: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  job_rabbit_init: true
+  pdb_api: true
+  pdb_producer: true
+  pdb_central: true
+  pdb_worker: true
+  pdb_mdns: true
+  pdb_sink: false
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  secret_registry: true
+  service_api: true
+  service_mdns: true
+  service_ingress_api: true
+...
diff --git a/charts/glance/.helmignore b/charts/glance/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/glance/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/glance/Chart.yaml b/charts/glance/Chart.yaml
new file mode 100644
index 0000000..0650294
--- /dev/null
+++ b/charts/glance/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Glance
+home: https://docs.openstack.org/glance/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: glance
+sources:
+- https://opendev.org/openstack/glance
+- https://opendev.org/openstack/openstack-helm
+version: 0.4.1
diff --git a/charts/glance/charts/helm-toolkit/Chart.yaml b/charts/glance/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/glance/charts/helm-toolkit/requirements.yaml b/charts/glance/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/glance/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_template.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/values.yaml b/charts/glance/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/glance/requirements.lock b/charts/glance/requirements.lock
new file mode 100644
index 0000000..48cea9f
--- /dev/null
+++ b/charts/glance/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:21.767149565Z"
diff --git a/charts/glance/requirements.yaml b/charts/glance/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/glance/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/glance/templates/bin/_bootstrap.sh.tpl b/charts/glance/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..0b11a4f
--- /dev/null
+++ b/charts/glance/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cd /tmp/images
+
+{{ range .Values.bootstrap.structured.images }}
+openstack image show {{ .name  | quote }} || \
+  { curl --fail -sSL -O {{ .source_url }}{{ .image_file }}; \
+  openstack image create {{ .name | quote }} \
+  {{ if .id -}} --id {{ .id }} {{ end -}} \
+  --min-disk {{ .min_disk }} \
+  --disk-format {{ .image_type }} \
+  --file {{ .image_file }} \
+  {{ if .properties -}} {{ range $key, $value := .properties }}--property {{$key}}={{$value}} {{ end }}{{ end -}} \
+  --container-format {{ .container_format | quote }} \
+  {{ if .private -}}
+  --private
+  {{- else -}}
+  --public
+  {{- end -}}; }
+{{ end }}
+
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/glance/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/glance/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..8c36d4b
--- /dev/null
+++ b/charts/glance/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.admin.keyring << EOF
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+    key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+    key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/glance/templates/bin/_ceph-keyring.sh.tpl b/charts/glance/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..cbafe3d
--- /dev/null
+++ b/charts/glance/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.${RBD_STORE_USER}.keyring <<EOF
+[client.${RBD_STORE_USER}]
+    key = $(cat /tmp/client-keyring)
+EOF
+
+exit 0
diff --git a/charts/glance/templates/bin/_clean-image.sh.tpl b/charts/glance/templates/bin/_clean-image.sh.tpl
new file mode 100644
index 0000000..2ac4b53
--- /dev/null
+++ b/charts/glance/templates/bin/_clean-image.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ if .Values.bootstrap.enabled }}
+{{ range .Values.bootstrap.structured.images }}
+  {{ if .id -}}
+    openstack image show {{ .id | quote }} && \
+      openstack image delete {{ .id | quote }}
+  {{ end -}}
+{{ end }}
+
+{{ end }}
+exit 0
diff --git a/charts/glance/templates/bin/_clean-secrets.sh.tpl b/charts/glance/templates/bin/_clean-secrets.sh.tpl
new file mode 100644
index 0000000..31b7177
--- /dev/null
+++ b/charts/glance/templates/bin/_clean-secrets.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec kubectl delete secret \
+  --namespace ${NAMESPACE} \
+  --ignore-not-found=true \
+  ${RBD_POOL_SECRET}
diff --git a/charts/glance/templates/bin/_db-sync.sh.tpl b/charts/glance/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..21d81ad
--- /dev/null
+++ b/charts/glance/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+glance-manage db_sync
diff --git a/charts/glance/templates/bin/_glance-api.sh.tpl b/charts/glance/templates/bin/_glance-api.sh.tpl
new file mode 100644
index 0000000..9d427b6
--- /dev/null
+++ b/charts/glance/templates/bin/_glance-api.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec glance-api \
+        --config-file /etc/glance/glance-api.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/glance/templates/bin/_iscsiadm.tpl b/charts/glance/templates/bin/_iscsiadm.tpl
new file mode 100644
index 0000000..f27d757
--- /dev/null
+++ b/charts/glance/templates/bin/_iscsiadm.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+       iscsiadm "${@:1}"
diff --git a/charts/glance/templates/bin/_metadefs-load.sh.tpl b/charts/glance/templates/bin/_metadefs-load.sh.tpl
new file mode 100644
index 0000000..1e1f3e4
--- /dev/null
+++ b/charts/glance/templates/bin/_metadefs-load.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+
+glance-manage --config-file /etc/glance/glance-api.conf db_load_metadefs /var/lib/openstack/etc/glance/metadefs
diff --git a/charts/glance/templates/bin/_multipath.tpl b/charts/glance/templates/bin/_multipath.tpl
new file mode 100644
index 0000000..7f84c9c
--- /dev/null
+++ b/charts/glance/templates/bin/_multipath.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+      multipath "${@:1}"
diff --git a/charts/glance/templates/bin/_multipathd.tpl b/charts/glance/templates/bin/_multipathd.tpl
new file mode 100644
index 0000000..a9ff34a
--- /dev/null
+++ b/charts/glance/templates/bin/_multipathd.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+      multipathd "${@:1}"
diff --git a/charts/glance/templates/bin/_nginx.sh.tpl b/charts/glance/templates/bin/_nginx.sh.tpl
new file mode 100644
index 0000000..53418a5
--- /dev/null
+++ b/charts/glance/templates/bin/_nginx.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -xe
+
+COMMAND="${@:-start}"
+
+start () {
+  envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
+  cat /tmp/nginx.conf
+  nginx -t -c /tmp/nginx.conf
+  exec nginx -c /tmp/nginx.conf
+}
+
+stop () {
+  nginx -s stop
+}
+
+$COMMAND
diff --git a/charts/glance/templates/bin/_storage-init.sh.tpl b/charts/glance/templates/bin/_storage-init.sh.tpl
new file mode 100644
index 0000000..cf6fecb
--- /dev/null
+++ b/charts/glance/templates/bin/_storage-init.sh.tpl
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+  SECRET=$(mktemp --suffix .yaml)
+  KEYRING=$(mktemp --suffix .keyring)
+  function cleanup {
+      rm -f "${SECRET}" "${KEYRING}"
+  }
+  trap cleanup EXIT
+fi
+
+SCHEME={{ tuple "object_store" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+if [[ "$SCHEME" == "https" && -f /etc/ssl/certs/openstack-helm.crt ]]; then
+  export CURL_CA_BUNDLE="/etc/ssl/certs/openstack-helm.crt"
+fi
+
+set -ex
+if [ "x$STORAGE_BACKEND" == "xpvc" ]; then
+  echo "No action required."
+elif [ "x$STORAGE_BACKEND" == "xswift" ]; then
+  : ${OS_INTERFACE:="internal"}
+  OS_TOKEN="$(openstack token issue -f value -c id)"
+  OS_PROJECT_ID="$(openstack project show service -f value -c id)"
+  OS_SWIFT_ENDPOINT_PREFIX="$(openstack endpoint list --service swift --interface ${OS_INTERFACE} -f value -c URL | awk -F '$' '{ print $1 }')"
+  OS_SWIFT_SCOPED_ENDPOINT="${OS_SWIFT_ENDPOINT_PREFIX}${OS_PROJECT_ID}"
+  curl --fail -i -X POST "${OS_SWIFT_SCOPED_ENDPOINT}" \
+    -H "X-Auth-Token: ${OS_TOKEN}" \
+    -H "X-Account-Meta-Temp-URL-Key: ${SWIFT_TMPURL_KEY}"
+elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+  ceph -s
+  function ensure_pool () {
+    ceph osd pool stats "$1" || ceph osd pool create "$1" "$2"
+    local test_version
+    if [[ $(ceph mgr versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+        ceph osd pool application enable $1 $3
+    fi
+    ceph osd pool set "$1" size "${RBD_POOL_REPLICATION}"
+    ceph osd pool set "$1" crush_rule "${RBD_POOL_CRUSH_RULE}"
+  }
+  ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "${RBD_POOL_APP_NAME}"
+
+  if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
+    echo "Cephx user client.${RBD_POOL_USER} already exist."
+    echo "Update its cephx caps"
+    ceph auth caps client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}"
+    ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
+  else
+    #NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
+    ceph auth get-or-create "client.${RBD_POOL_USER}" \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}" \
+      -o "${KEYRING}"
+  fi
+
+  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' "${KEYRING}" | base64 -w0)
+  cat > "${SECRET}" <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${RBD_POOL_SECRET}"
+type: kubernetes.io/rbd
+data:
+  key: "${ENCODED_KEYRING}"
+EOF
+  kubectl apply --namespace "${NAMESPACE}" -f "${SECRET}"
+elif [ "x${STORAGE_BACKEND}" == "xradosgw" ]; then
+  radosgw-admin user stats --uid="${RADOSGW_USERNAME}" || \
+    radosgw-admin user create \
+      --uid="${RADOSGW_USERNAME}" \
+      --display-name="${RADOSGW_USERNAME} user"
+
+  radosgw-admin subuser create \
+    --uid="${RADOSGW_USERNAME}" \
+    --subuser="${RADOSGW_USERNAME}:swift" \
+    --access=full
+
+  radosgw-admin key create \
+    --subuser="${RADOSGW_USERNAME}:swift" \
+    --key-type=swift \
+    --secret="${RADOSGW_PASSWORD}"
+
+  radosgw-admin user modify \
+    --uid="${RADOSGW_USERNAME}" \
+    --temp-url-key="${RADOSGW_TMPURL_KEY}"
+fi
diff --git a/charts/glance/templates/certificates.yaml b/charts/glance/templates/certificates.yaml
new file mode 100644
index 0000000..deb2a23
--- /dev/null
+++ b/charts/glance/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/glance/templates/configmap-bin.yaml b/charts/glance/templates/configmap-bin.yaml
new file mode 100644
index 0000000..600681b
--- /dev/null
+++ b/charts/glance/templates/configmap-bin.yaml
@@ -0,0 +1,70 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: glance-bin
+data:
+{{- if eq .Values.storage "cinder" }}
+  iscsiadm: |
+{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  multipath: |
+{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  multipathd: |
+{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  storage-init.sh: |
+{{ tuple "bin/_storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  metadefs-load.sh: |
+{{ tuple "bin/_metadefs-load.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  glance-api.sh: |
+{{ tuple "bin/_glance-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  clean-image.sh: |
+{{ tuple "bin/_clean-image.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  clean-secrets.sh: |
+{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- if .Values.manifests.certificates }}
+  nginx.sh: |
+{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/configmap-etc.yaml b/charts/glance/templates/configmap-etc.yaml
new file mode 100644
index 0000000..0ee2606
--- /dev/null
+++ b/charts/glance/templates/configmap-etc.yaml
@@ -0,0 +1,156 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "region_name" .Values.endpoints.identity.auth.glance.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "project_name" .Values.endpoints.identity.auth.glance.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.glance.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.glance.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "username" .Values.endpoints.identity.auth.glance.username -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "password" .Values.endpoints.identity.auth.glance.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.glance.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.glance.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "glance" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.glance.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.DEFAULT.public_endpoint -}}
+{{- $_ := tuple "image" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.glance.DEFAULT "public_endpoint" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.glance_store.stores -}}
+{{- if eq .Values.storage "rbd" }}
+{{- $_ := "file, http, rbd" | set .Values.conf.glance.glance_store "stores" -}}
+{{- end -}}
+{{- if eq .Values.storage "pvc" }}
+{{- $_ := "file, http" | set .Values.conf.glance.glance_store "stores" -}}
+{{- end -}}
+{{ if or (eq .Values.storage "radosgw") (eq .Values.storage "swift") }}
+{{- $_ := "file, http, swift" | set .Values.conf.glance.glance_store "stores" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.glance_store.default_store -}}
+{{- if eq .Values.storage "rbd" }}
+{{- $_ := "rbd" | set .Values.conf.glance.glance_store "default_store" -}}
+{{- end -}}
+{{- if eq .Values.storage "pvc" }}
+{{- $_ := "file" | set .Values.conf.glance.glance_store "default_store" -}}
+{{- end -}}
+{{ if or (eq .Values.storage "radosgw") (eq .Values.storage "swift") }}
+{{- $_ := "swift" | set .Values.conf.glance.glance_store "default_store" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.DEFAULT.bind_port -}}
+{{- $_ := tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.glance.DEFAULT "bind_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.cors.allowed_origin -}}
+{{- $endpointScheme := tuple "dashboard" "public" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple "dashboard" "public" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple "dashboard" "public" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{- if eq $endpointPort "80" "443" -}}
+        {{/*
+          Common browsers don't add default ports like 80 and 443 to the headers
+          and URLs therefore CORS should allow to use URLs both with 80,443 and
+          without it in the URL.
+        */}}
+        {{- $_ := set $envAll.Values.conf.glance.cors "allowed_origin" ( list ) }}
+        {{- $__allowed_origin := append $envAll.Values.conf.glance.cors.allowed_origin (printf "%s://%s" $endpointScheme $endpointHost) }}
+        {{- $_ := set $envAll.Values.conf.glance.cors "allowed_origin" $__allowed_origin }}
+        {{- $__allowed_origin := append $envAll.Values.conf.glance.cors.allowed_origin (printf "%s://%s:%s" $endpointScheme $endpointHost $endpointPort) }}
+        {{- $_ := set $envAll.Values.conf.glance.cors "allowed_origin" $__allowed_origin }}
+    {{- else }}
+        {{- printf "%s://%s:%s" $endpointScheme $endpointHost $endpointPort | set .Values.conf.glance.cors "allowed_origin" }}
+    {{- end }}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: glance-etc
+type: Opaque
+data:
+  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+  glance-api.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.glance | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  glance-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+  glance_sudoers: {{ $envAll.Values.conf.glance_sudoers | b64enc }}
+  rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-"  $key }}
+  {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
diff --git a/charts/glance/templates/deployment-api.yaml b/charts/glance/templates/deployment-api.yaml
new file mode 100644
index 0000000..9c26c74
--- /dev/null
+++ b/charts/glance/templates/deployment-api.yaml
@@ -0,0 +1,368 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_glance_api := .Values.pod.mounts.glance_api.glance_api }}
+{{- $mounts_glance_api_init := .Values.pod.mounts.glance_api.init_container }}
+
+{{- $serviceAccountName := "glance-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: glance-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "glance-api" "containerNames" ( list "glance-perms" "glance-api" "init" "nginx" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+{{- if .Values.pod.useHostNetwork.api }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+{{- if eq .Values.storage "cinder" }}
+      hostIPC: true
+{{- end }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_glance_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: glance-perms
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "glance_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - "glance:"
+            - {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: glance-images
+              mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+        {{ if eq .Values.storage "rbd" }}
+        - name: ceph-keyring-placement
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: RBD_STORE_USER
+              value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
+          command:
+            - /tmp/ceph-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: glance-bin
+              mountPath: /tmp/ceph-keyring.sh
+              subPath: ceph-keyring.sh
+              readOnly: true
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+        {{ end }}
+      containers:
+        {{- if $envAll.Values.manifests.certificates }}
+        - name: nginx
+{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          ports:
+            - name: g-api
+              containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          env:
+            - name: PORT
+              value: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: SHORTNAME
+              value: {{ tuple "image" "internal" .  | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          command:
+            - /tmp/nginx.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/nginx.sh
+                  - stop
+          volumeMounts:
+            - name: glance-bin
+              mountPath: /tmp/nginx.sh
+              subPath: nginx.sh
+              readOnly: true
+            - name: glance-etc
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+        {{- end }}
+        - name: glance-api
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "glance_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/glance-api.sh
+            - start
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/glance/certs/ca.crt"
+{{- end }}
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/glance-api.sh
+                  - stop
+          {{- if $envAll.Values.manifests.certificates }}
+          readinessProbe:
+            exec:
+              command:
+                - python
+                - -c
+                - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+          livenessProbe:
+            exec:
+              command:
+                - python
+                - -c
+                - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+            initialDelaySeconds: 30
+          {{- else }}
+          ports:
+            - name: g-api
+              containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          livenessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          {{- end }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: glance-tmp
+              mountPath: /var/lib/glance/tmp
+            - name: etcglance
+              mountPath: /etc/glance
+            - name: glance-bin
+              mountPath: /tmp/glance-api.sh
+              subPath: glance-api.sh
+              readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/glance-api.conf
+              subPath: glance-api.conf
+              readOnly: true
+            {{- if .Values.conf.glance.DEFAULT.log_config_append }}
+            - name: glance-etc
+              mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: glance-etc
+              mountPath: /etc/glance/glance-api-paste.ini
+              subPath: glance-api-paste.ini
+              readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            - name: glance-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_glance_sudoers
+              subPath: glance_sudoers
+              readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "api" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/glance/rootwrap.d/%s.filters" $filePrefix }}
+            - name: glance-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: glance-etc
+              mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }}
+              subPath: swift-store.conf
+              readOnly: true
+            - name: glance-images
+              mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+{{- if eq .Values.storage "cinder" }}
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: host-dev
+              mountPath: /dev
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: runlock
+              mountPath: /run/lock
+            - name: etciscsi
+              mountPath: /etc/iscsi
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: usrlocalsbin
+              mountPath: /usr/local/sbin
+            - name: glance-bin
+              mountPath: /usr/local/sbin/iscsiadm
+              subPath: iscsiadm
+            - name: glance-bin
+              mountPath: /usr/local/sbin/multipath
+              subPath: multipath
+            - name: glance-bin
+              mountPath: /usr/local/sbin/multipathd
+              subPath: multipathd
+            - name: etcmultipath
+              mountPath: /etc/multipath
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            - name: sys
+              mountPath: /sys
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+{{- end }}
+{{- if eq .Values.storage "rbd" }}
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: glance-tmp
+          emptyDir: {}
+        - name: etcglance
+          emptyDir: {}
+        - name: glance-bin
+          configMap:
+            name: glance-bin
+            defaultMode: 0555
+        - name: glance-etc
+          secret:
+            secretName: glance-etc
+            defaultMode: 0444
+{{- if eq .Values.storage "pvc" }}
+        - name: glance-images
+          persistentVolumeClaim:
+            claimName: glance-images
+{{ else }}
+        - name: glance-images
+          emptyDir: {}
+{{- end }}
+{{- if eq .Values.storage "rbd" }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.secrets.rbd | quote }}
+{{- end }}
+{{- if eq .Values.storage "cinder" }}
+        - name: host-rootfs
+          hostPath:
+            path: /
+        - name: host-dev
+          hostPath:
+            path: /dev
+        - name: runlock
+          hostPath:
+            path: /run/lock
+        - name: etciscsi
+          hostPath:
+            path: /etc/iscsi
+        - name: usrlocalsbin
+          emptyDir: {}
+        - name: etcmultipath
+          hostPath:
+            path: /etc/multipath
+        - name: sys
+          hostPath:
+            path: /sys
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/glance/templates/ingress-api.yaml b/charts/glance/templates/ingress-api.yaml
new file mode 100644
index 0000000..939855e
--- /dev/null
+++ b/charts/glance/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/glance/templates/job-bootstrap.yaml b/charts/glance/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..56bebfc
--- /dev/null
+++ b/charts/glance/templates/job-bootstrap.yaml
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- define "glance.templates._job_bootstrap.pod_volumes" -}}
+{{- $envAll := index . 0 -}}
+volumeMounts:
+  - name: imagedir
+    mountPath: /tmp/images
+volumes:
+  - name: imagedir
+    emptyDir: {}
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/glance/templates/job-clean.yaml b/charts/glance/templates/job-clean.yaml
new file mode 100644
index 0000000..26977c0
--- /dev/null
+++ b/charts/glance/templates/job-clean.yaml
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_clean }}
+{{- $envAll := . }}
+{{- if .Values.bootstrap.enabled }}
+
+{{- $serviceAccountName := print "glance-clean" }}
+{{ tuple $envAll "clean" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ print "glance-clean" }}
+  labels:
+{{ tuple $envAll "glance" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "glance" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "clean" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "clean" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        {{- if eq .Values.storage "rbd" }}
+        - name: glance-secret-clean
+{{ tuple $envAll "glance_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "clean" "container" "glance_secret_clean" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: RBD_POOL_SECRET
+              value: {{ .Values.secrets.rbd | quote }}
+          command:
+            - /tmp/clean-secrets.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: glance-bin
+              mountPath: /tmp/clean-secrets.sh
+              subPath: clean-secrets.sh
+              readOnly: true
+        {{ end }}
+        - name: glance-image-clean
+{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/clean-image.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: glance-bin
+              mountPath: /tmp/clean-image.sh
+              subPath: clean-image.sh
+              readOnly: true
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: glance-bin
+          configMap:
+            name: glance-bin
+            defaultMode: 0555
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/job-db-drop.yaml b/charts/glance/templates/job-db-drop.yaml
new file mode 100644
index 0000000..66f3a18
--- /dev/null
+++ b/charts/glance/templates/job-db-drop.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "glance" -}}
+{{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/glance/templates/job-db-init.yaml b/charts/glance/templates/job-db-init.yaml
new file mode 100644
index 0000000..6f79781
--- /dev/null
+++ b/charts/glance/templates/job-db-init.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "glance" -}}
+{{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/glance/templates/job-db-sync.yaml b/charts/glance/templates/job-db-sync.yaml
new file mode 100644
index 0000000..1434edd
--- /dev/null
+++ b/charts/glance/templates/job-db-sync.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" "glance" "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" "glance" ) "image" ( index .Values.images.tags ( printf "%s_db_sync" "glance" )) ) -}}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "glance" "podVolMounts" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumeMounts "podVols" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumes "dbToSync" $dbToSync -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/glance/templates/job-image-repo-sync.yaml b/charts/glance/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..dc9d322
--- /dev/null
+++ b/charts/glance/templates/job-image-repo-sync.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "glance" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/glance/templates/job-ks-endpoints.yaml b/charts/glance/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..fe761a3
--- /dev/null
+++ b/charts/glance/templates/job-ks-endpoints.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/glance/templates/job-ks-service.yaml b/charts/glance/templates/job-ks-service.yaml
new file mode 100644
index 0000000..8aaef78
--- /dev/null
+++ b/charts/glance/templates/job-ks-service.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/glance/templates/job-ks-user.yaml b/charts/glance/templates/job-ks-user.yaml
new file mode 100644
index 0000000..7f646e3
--- /dev/null
+++ b/charts/glance/templates/job-ks-user.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/glance/templates/job-metadefs-load.yaml b/charts/glance/templates/job-metadefs-load.yaml
new file mode 100644
index 0000000..1c2efaa
--- /dev/null
+++ b/charts/glance/templates/job-metadefs-load.yaml
@@ -0,0 +1,97 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_metadefs_load }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "glance-metadefs-load" }}
+{{ tuple $envAll "metadefs_load" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: glance-metadefs-load
+  labels:
+{{ tuple $envAll "glance" "metadefs-load" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+{{- if .Values.helm3_hook }}
+    helm.sh/hook: post-install,post-upgrade
+{{- end }}
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "glance" "metadefs_load" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "glance-metadefs-load" "containerNames" (list "init" "glance-metadefs-load" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "metadefs_load" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "metadefs_load" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: glance-metadefs-load
+{{ tuple $envAll "glance_metadefs_load" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.metadefs_load | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "metadefs_load" "container" "glance_metadefs_load" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          command:
+            - /tmp/metadefs-load.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: glance-bin
+              mountPath: /tmp/metadefs-load.sh
+              subPath: metadefs-load.sh
+              readOnly: true
+            - name: etcglance
+              mountPath: /etc/glance
+            - name: glance-etc
+              mountPath: /etc/glance/glance-api.conf
+              subPath: glance-api.conf
+              readOnly: true
+            {{- if .Values.conf.glance.DEFAULT.log_config_append }}
+            - name: glance-etc
+              mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: glance-bin
+          configMap:
+            name: glance-bin
+            defaultMode: 0555
+        - name: etcglance
+          emptyDir: {}
+        - name: glance-etc
+          secret:
+            secretName: glance-etc
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/templates/job-rabbit-init.yaml b/charts/glance/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..6bd14d6
--- /dev/null
+++ b/charts/glance/templates/job-rabbit-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "glance" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/glance/templates/job-storage-init.yaml b/charts/glance/templates/job-storage-init.yaml
new file mode 100644
index 0000000..d8aee23
--- /dev/null
+++ b/charts/glance/templates/job-storage-init.yaml
@@ -0,0 +1,198 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_storage_init }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "glance-storage-init" }}
+{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: glance-storage-init
+  labels:
+{{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+{{- if .Values.helm3_hook }}
+    helm.sh/hook: post-install,post-upgrade
+{{- end }}
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "glance-storage-init" "containerNames" (list "init" "glance-storage-init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
+        - name: ceph-keyring-placement
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: glance-bin
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+        {{ end }}
+      containers:
+        - name: glance-storage-init
+{{ tuple $envAll "glance_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "glance_storage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: STORAGE_BACKEND
+              value: {{ .Values.storage | quote }}
+            {{- if eq .Values.storage "rbd" }}
+            - name: RBD_POOL_NAME
+              value: {{ .Values.conf.glance.glance_store.rbd_store_pool | quote }}
+            - name: RBD_POOL_APP_NAME
+              value: {{ .Values.conf.software.rbd.rbd_store_pool_app_name | quote }}
+            - name: RBD_POOL_USER
+              value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
+            - name: RBD_POOL_REPLICATION
+              value: {{ .Values.conf.glance.glance_store.rbd_store_replication | quote }}
+            - name: RBD_POOL_CRUSH_RULE
+              value: {{ .Values.conf.glance.glance_store.rbd_store_crush_rule | quote }}
+            - name: RBD_POOL_CHUNK_SIZE
+              value: {{ .Values.conf.glance.glance_store.rbd_store_chunk_size | quote }}
+            - name: RBD_POOL_SECRET
+              value: {{ .Values.secrets.rbd | quote }}
+            {{ end }}
+            {{- if eq .Values.storage "radosgw" }}
+            - name: RADOSGW_USERNAME
+              value: {{ .Values.endpoints.ceph_object_store.auth.glance.username | quote }}
+            - name: RADOSGW_PASSWORD
+              value: {{ .Values.endpoints.ceph_object_store.auth.glance.password | quote }}
+            - name: RADOSGW_TMPURL_KEY
+              value: {{ .Values.endpoints.ceph_object_store.auth.glance.tmpurlkey | quote }}
+            {{ end }}
+            {{- if eq .Values.storage "swift" }}
+            - name: SWIFT_TMPURL_KEY
+              value: {{ .Values.endpoints.object_store.auth.glance.tmpurlkey | quote }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.glance "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            {{ end }}
+          command:
+            - /tmp/storage-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: glance-bin
+              mountPath: /tmp/storage-init.sh
+              subPath: storage-init.sh
+              readOnly: true
+            {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+            {{ end }}
+            {{- if eq .Values.storage "pvc" }}
+            - name: glance-images
+              mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+            {{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: glance-bin
+          configMap:
+            name: glance-bin
+            defaultMode: 0555
+        {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        {{- if empty .Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.ceph_client.user_secret_name }}
+        {{ end }}
+        {{ end }}
+        {{- if eq .Values.storage "pvc" }}
+        - name: glance-images
+          persistentVolumeClaim:
+            claimName: glance-images
+        {{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/templates/network_policy.yaml b/charts/glance/templates/network_policy.yaml
new file mode 100644
index 0000000..f7fe79c
--- /dev/null
+++ b/charts/glance/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "glance" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/glance/templates/pdb-api.yaml b/charts/glance/templates/pdb-api.yaml
new file mode 100644
index 0000000..0b27650
--- /dev/null
+++ b/charts/glance/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: glance-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/glance/templates/pod-rally-test.yaml b/charts/glance/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..0ca17eb
--- /dev/null
+++ b/charts/glance/templates/pod-rally-test.yaml
@@ -0,0 +1,125 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.glance_tests.glance_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.glance_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ print $envAll.Chart.Name "-test" }}
+  labels:
+{{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" "glance-test" "containerNames" (list "init" "glance-test" "glance-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+  restartPolicy: Never
+  serviceAccountName: {{ $serviceAccountName }}
+  initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+    - name: glance-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "glance_test_ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+      command:
+        - /tmp/ks-user.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: glance-bin
+          mountPath: /tmp/ks-user.sh
+          subPath: ks-user.sh
+          readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_SERVICE_NAME
+          value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_ROLE
+          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+  containers:
+    - name: glance-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "glance_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: RALLY_ENV_NAME
+          value: {{.Chart.Name}}
+      command:
+        - /tmp/rally-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: glance-etc
+          mountPath: /etc/rally/rally_tests.yaml
+          subPath: rally_tests.yaml
+          readOnly: true
+        - name: glance-bin
+          mountPath: /tmp/rally-test.sh
+          subPath: rally-test.sh
+          readOnly: true
+        - name: rally-db
+          mountPath: /var/lib/rally
+        - name: rally-work
+          mountPath: /home/rally/.rally
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: glance-etc
+      secret:
+        secretName: glance-etc
+        defaultMode: 0444
+    - name: glance-bin
+      configMap:
+        name: glance-bin
+        defaultMode: 0555
+    - name: rally-db
+      emptyDir: {}
+    - name: rally-work
+      emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/glance/templates/pvc-images.yaml b/charts/glance/templates/pvc-images.yaml
new file mode 100644
index 0000000..bd86d68
--- /dev/null
+++ b/charts/glance/templates/pvc-images.yaml
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pvc_images }}
+{{- $envAll := . }}
+{{- if eq .Values.storage "pvc" }}
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: glance-images
+spec:
+  accessModes: [ "ReadWriteOnce" ]
+  resources:
+    requests:
+      storage: {{ .Values.volume.size }}
+  storageClassName: {{ .Values.volume.class_name }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-db.yaml b/charts/glance/templates/secret-db.yaml
new file mode 100644
index 0000000..0a1085d
--- /dev/null
+++ b/charts/glance/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "glance" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-ingress-tls.yaml b/charts/glance/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..b83f638
--- /dev/null
+++ b/charts/glance/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "image" ) }}
+{{- end }}
diff --git a/charts/glance/templates/secret-keystone.yaml b/charts/glance/templates/secret-keystone.yaml
new file mode 100644
index 0000000..fc6cc6a
--- /dev/null
+++ b/charts/glance/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "glance" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-rabbitmq.yaml b/charts/glance/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..aba7639
--- /dev/null
+++ b/charts/glance/templates/secret-rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "glance" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-registry.yaml b/charts/glance/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/glance/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/glance/templates/service-api.yaml b/charts/glance/templates/service-api.yaml
new file mode 100644
index 0000000..f2cbadf
--- /dev/null
+++ b/charts/glance/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: g-api
+      port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+      nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.api.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/glance/templates/service-ingress-api.yaml b/charts/glance/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..965d26b
--- /dev/null
+++ b/charts/glance/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "image" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/glance/values.yaml b/charts/glance/values.yaml
new file mode 100644
index 0000000..69f703e
--- /dev/null
+++ b/charts/glance/values.yaml
@@ -0,0 +1,1009 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for glance.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+# radosgw, rbd, swift or pvc
+---
+storage: swift
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+release_group: null
+
+images:
+  tags:
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    glance_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_xenial
+    glance_metadefs_load: docker.io/openstackhelm/glance:wallaby-ubuntu_focal
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    glance_db_sync: docker.io/openstackhelm/glance:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    glance_api: docker.io/openstackhelm/glance:wallaby-ubuntu_focal
+    # Bootstrap image requires curl
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+bootstrap:
+  enabled: true
+  ks_user: admin
+  script: null
+  structured:
+    images:
+      cirros:
+        id: null
+        name: "Cirros 0.3.5 64-bit"
+        source_url: "http://download.cirros-cloud.net/0.3.5/"
+        image_file: "cirros-0.3.5-x86_64-disk.img"
+        min_disk: 1
+        image_type: qcow2
+        container_format: bare
+        private: true
+        properties:
+          # NOTE: If you want to restrict hypervisor type for this image,
+          # uncomment this and write specific hypervisor type.
+          # hypervisor_type: "qemu"
+          os_distro: "cirros"
+
+ceph_client:
+  configmap: ceph-etc
+  user_secret_name: pvc-ceph-client-key
+
+network_policy:
+  glance:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+conf:
+  software:
+    rbd:
+      rbd_store_pool_app_name: glance-image
+  rally_tests:
+    run_tempest: false
+    tests:
+      GlanceImages.create_and_delete_image:
+        - args:
+            container_format: bare
+            disk_format: qcow2
+            # NOTE(aostapenko) temporary location to work around https://bugs.launchpad.net/rally/+bug/1887705
+            image_location: https://artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/external/images/cirros/0.3.5/cirros-0.3.5-x86_64-disk.img
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      GlanceImages.create_and_list_image:
+        - args:
+            container_format: bare
+            disk_format: qcow2
+            # NOTE(aostapenko) temporary location to work around https://bugs.launchpad.net/rally/+bug/1887705
+            image_location: https://artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/external/images/cirros/0.3.5/cirros-0.3.5-x86_64-disk.img
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+  ceph:
+    monitors: []
+    admin_keyring: null
+    override:
+    append:
+  ceph_client:
+    override:
+    append:
+  paste:
+    pipeline:glance-api:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
+    pipeline:glance-api-caching:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
+    pipeline:glance-api-cachemanagement:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+    pipeline:glance-api-keystone:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context  rootapp
+    pipeline:glance-api-keystone+caching:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache rootapp
+    pipeline:glance-api-keystone+cachemanagement:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache cachemanage rootapp
+    pipeline:glance-api-trusted-auth:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
+    pipeline:glance-api-trusted-auth+cachemanagement:
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
+    composite:rootapp:
+      paste.composite_factory: glance.api:root_app_factory
+      /: apiversions
+      /v1: apiv1app
+      /v2: apiv2app
+    app:apiversions:
+      paste.app_factory: glance.api.versions:create_resource
+    app:apiv1app:
+      paste.app_factory: glance.api.v1.router:API.factory
+    app:apiv2app:
+      paste.app_factory: glance.api.v2.router:API.factory
+    filter:healthcheck:
+      paste.filter_factory: oslo_middleware:Healthcheck.factory
+      backends: disable_by_file
+      disable_by_file_path: /etc/glance/healthcheck_disable
+    filter:versionnegotiation:
+      paste.filter_factory: glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
+    filter:cache:
+      paste.filter_factory: glance.api.middleware.cache:CacheFilter.factory
+    filter:cachemanage:
+      paste.filter_factory: glance.api.middleware.cache_manage:CacheManageFilter.factory
+    filter:context:
+      paste.filter_factory: glance.api.middleware.context:ContextMiddleware.factory
+    filter:unauthenticated-context:
+      paste.filter_factory: glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+      delay_auth_decision: true
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/glance/api_audit_map.conf
+    filter:gzip:
+      paste.filter_factory: glance.api.middleware.gzip:GzipMiddleware.factory
+    filter:osprofiler:
+      paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+      hmac_keys: SECRET_KEY  # DEPRECATED
+      enabled: yes  # DEPRECATED
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: glance
+      oslo_config_program: glance-api
+    filter:http_proxy_to_wsgi:
+      paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+  policy: {}
+  glance_sudoers: |
+    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+    Defaults !requiretty
+    Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+    glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *, /var/lib/openstack/bin/glance-rootwrap /etc/glance/rootwrap.conf *
+  rootwrap: |
+    # Configuration for glance-rootwrap
+    # This file should be owned by (and only-writable by) the root user
+
+    [DEFAULT]
+    # List of directories to load filter definitions from (separated by ',').
+    # These directories MUST all be only writeable by root !
+    filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
+
+    # List of directories to search executables in, in case filters do not
+    # explicitely specify a full path (separated by ',')
+    # If not specified, defaults to system PATH environment variable.
+    # These directories MUST all be only writeable by root !
+    exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+    # Enable logging to syslog
+    # Default value is False
+    use_syslog=False
+
+    # Which syslog facility to use.
+    # Valid values include auth, authpriv, syslog, local0, local1...
+    # Default value is 'syslog'
+    syslog_log_facility=syslog
+
+    # Which messages to log.
+    # INFO means log all usage
+    # ERROR means only log unsuccessful attempts
+    syslog_log_level=ERROR
+  rootwrap_filters:
+    glance_cinder_store:
+      pods:
+        - api
+      content: |
+        # glance-rootwrap command filters for glance cinder store
+        # This file should be owned by (and only-writable by) the root user
+
+        [Filters]
+        # cinder store driver
+        disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
+
+        # os-brick library commands
+        # os_brick.privileged.run_as_root oslo.privsep context
+        # This line ties the superuser privs with the config files, context name,
+        # and (implicitly) the actual python code invoked.
+        privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+
+        chown: CommandFilter, chown, root
+        mount: CommandFilter, mount, root
+        umount: CommandFilter, umount, root
+  glance:
+    DEFAULT:
+      log_config_append: /etc/glance/logging.conf
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      bind_port: null
+      workers: 1
+      enable_v1_api: False
+    oslo_middleware:
+      enable_proxy_headers_parsing: true
+    keystone_authtoken:
+      auth_type: password
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+    glance_store:
+      cinder_catalog_info: volumev3::internalURL
+      rbd_store_chunk_size: 8
+      rbd_store_replication: 3
+      rbd_store_crush_rule: replicated_rule
+      rbd_store_pool: glance.images
+      rbd_store_user: glance
+      rbd_store_ceph_conf: /etc/ceph/ceph.conf
+      filesystem_store_datadir: /var/lib/glance/images
+      default_swift_reference: ref1
+      swift_store_container: glance
+      swift_store_create_container_on_put: true
+      swift_store_config_file: /etc/glance/swift-store.conf
+      swift_store_endpoint_type: internalURL
+    paste_deploy:
+      flavor: keystone
+    database:
+      max_retries: -1
+    oslo_concurrency:
+      lock_path: "/var/lib/glance/tmp"
+    oslo_messaging_notifications:
+      driver: messagingv2
+    oslo_messaging_rabbit:
+      rabbit_ha_queues: true
+    oslo_policy:
+      policy_file: /etc/glance/policy.yaml
+    cors: {}
+  logging:
+    loggers:
+      keys:
+        - root
+        - glance
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_glance:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: glance
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    path_keywords:
+      detail: None
+      file: None
+      images: image
+      members: member
+      tags: tag
+    service_endpoints:
+      image: 'service/storage/image'
+  swift_store: |
+    [{{ .Values.conf.glance.glance_store.default_swift_reference }}]
+    {{- if eq .Values.storage "radosgw" }}
+    auth_version = 1
+    auth_address = {{ tuple "ceph_object_store" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+    user = {{ .Values.endpoints.ceph_object_store.auth.glance.username }}:swift
+    key = {{ .Values.endpoints.ceph_object_store.auth.glance.password }}
+    {{- else }}
+    user = {{ .Values.endpoints.identity.auth.glance.project_name }}:{{ .Values.endpoints.identity.auth.glance.username }}
+    key = {{ .Values.endpoints.identity.auth.glance.password }}
+    auth_address = {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+    user_domain_name = {{ .Values.endpoints.identity.auth.glance.user_domain_name }}
+    project_domain_name = {{ .Values.endpoints.identity.auth.glance.project_domain_name }}
+    auth_version = 3
+    # NOTE(portdirect): https://bugs.launchpad.net/glance-store/+bug/1620999
+    project_domain_id =
+    user_domain_id =
+    {{- end -}}
+  rabbitmq:
+    # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+    policies:
+      - vhost: "glance"
+        name: "ha_ttl_glance"
+        definition:
+          # mirror messges to other nodes in rmq cluster
+          ha-mode: "all"
+          ha-sync-mode: "automatic"
+          # 70s
+          message-ttl: 70000
+        priority: 0
+        apply-to: all
+        pattern: '^(?!(amq\.|reply_)).*'
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30092
+
+volume:
+  class_name: general
+  size: 2Gi
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - glance-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs:
+        - glance-storage-init
+        - glance-db-sync
+        - glance-rabbit-init
+        - glance-ks-user
+        - glance-ks-endpoints
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+    bootstrap:
+      jobs: null
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: image
+    clean:
+      jobs: null
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - glance-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    ks_endpoints:
+      jobs:
+        - glance-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+    storage_init:
+      jobs:
+        - glance-ks-user
+      services: null
+    metadefs_load:
+      jobs:
+        - glance-db-sync
+      services: null
+    tests:
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: image
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: glance-keystone-admin
+    glance: glance-keystone-user
+    test: glance-keystone-test
+  oslo_db:
+    admin: glance-db-admin
+    glance: glance-db-user
+  rbd: images-rbd-keyring
+  oslo_messaging:
+    admin: glance-rabbitmq-admin
+    glance: glance-rabbitmq-user
+  tls:
+    image:
+      api:
+        public: glance-tls-public
+        internal: glance-tls-api
+  oci_image_registry:
+    glance: glance-oci-image-registry
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      glance:
+        username: glance
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      glance:
+        role: admin
+        region_name: RegionOne
+        username: glance
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      test:
+        role: admin
+        region_name: RegionOne
+        username: glance-test
+        password: password
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  image:
+    name: glance
+    hosts:
+      default: glance-api
+      public: glance
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: null
+    scheme:
+      default: http
+      service: http
+    port:
+      api:
+        default: 9292
+        public: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      glance:
+        username: glance
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /glance
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
+      glance:
+        username: glance
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /glance
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  object_store:
+    name: swift
+    namespace: ceph
+    auth:
+      glance:
+        tmpurlkey: supersecret
+    hosts:
+      default: ceph-rgw
+      public: radosgw
+    host_fqdn_override:
+      default: null
+    path:
+      default: /swift/v1/KEY_$(tenant_id)s
+    scheme:
+      default: http
+    port:
+      api:
+        default: 8088
+        public: 80
+  ceph_object_store:
+    name: radosgw
+    namespace: ceph
+    auth:
+      glance:
+        username: glance
+        password: password
+        tmpurlkey: supersecret
+    hosts:
+      default: ceph-rgw
+      public: radosgw
+    host_fqdn_override:
+      default: null
+    path:
+      default: /auth/v1.0
+    scheme:
+      default: http
+    port:
+      api:
+        default: 8088
+        public: 80
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+  dashboard:
+    name: horizon
+    hosts:
+      default: horizon-int
+      public: horizon
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: null
+    scheme:
+      default: http
+      public: https
+    port:
+      web:
+        default: 80
+        public: 443
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+pod:
+  security_context:
+    glance:
+      pod:
+        runAsUser: 42424
+      container:
+        glance_perms:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        ceph_keyring_placement:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        glance_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nginx:
+          readOnlyRootFilesystem: false
+          runAsUser: 0
+    clean:
+      pod:
+        runAsUser: 42424
+      container:
+        glance_secret_clean:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    metadefs_load:
+      pod:
+        runAsUser: 42424
+      container:
+        glance_metadefs_load:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    storage_init:
+      pod:
+        runAsUser: 42424
+      container:
+        ceph_keyring_placement:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        glance_storage_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    test:
+      pod:
+        runAsUser: 42424
+      container:
+        glance_test_ks_user:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        glance_test:
+          runAsUser: 65500
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  tolerations:
+    glance:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+  useHostNetwork:
+    api: false
+  mounts:
+    glance_api:
+      init_container: null
+      glance_api:
+        volumeMounts:
+        volumes:
+    glance_tests:
+      init_container: null
+      glance_tests:
+        volumeMounts:
+        volumes:
+    glance_db_sync:
+      glance_db_sync:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      storage_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      metadefs_load:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  deployment_api: true
+  ingress_api: true
+  job_bootstrap: true
+  job_clean: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  job_storage_init: true
+  job_metadefs_load: true
+  job_rabbit_init: true
+  pdb_api: true
+  pod_rally_test: true
+  pvc_images: true
+  network_policy: false
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  secret_registry: true
+  service_ingress_api: true
+  service_api: true
+...
diff --git a/charts/heat/.helmignore b/charts/heat/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/heat/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/heat/Chart.yaml b/charts/heat/Chart.yaml
new file mode 100644
index 0000000..4d3af00
--- /dev/null
+++ b/charts/heat/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Heat
+home: https://docs.openstack.org/heat/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: heat
+sources:
+- https://opendev.org/openstack/heat
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.8
diff --git a/charts/heat/charts/helm-toolkit/Chart.yaml b/charts/heat/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..ffa1cdc
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.36
diff --git a/charts/heat/charts/helm-toolkit/requirements.yaml b/charts/heat/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..db12915
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,540 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+local A_FILE="$1"
+local A_DATE=""
+if [[ -z ${BACK_UP_MODE} ]]; then
+  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
+else
+  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
+fi
+echo ${A_DATE}
+}
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -rf $ARCHIVE_FILE
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+  if [[ -f fd ]]; then
+    rm -f fd
+  else
+    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      create_hash_table $(cat $DB_BACKUP_FILES)
+      remove_old_remote_archives
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f 8
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/heat/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_template.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/values.yaml b/charts/heat/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/heat/requirements.lock b/charts/heat/requirements.lock
new file mode 100644
index 0000000..1a130f6
--- /dev/null
+++ b/charts/heat/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.36
+digest: sha256:7815f273587bf686278d58f0c6e9c86c37f220ef3f3c1e83edc478613082fef4
+generated: "2022-03-24T05:04:10.242253189Z"
diff --git a/charts/heat/requirements.yaml b/charts/heat/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/heat/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/heat/templates/bin/_bootstrap.sh.tpl b/charts/heat/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/heat/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/heat/templates/bin/_db-sync.sh.tpl b/charts/heat/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..652762d
--- /dev/null
+++ b/charts/heat/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+heat-manage db_sync
diff --git a/charts/heat/templates/bin/_heat-api.sh.tpl b/charts/heat/templates/bin/_heat-api.sh.tpl
new file mode 100644
index 0000000..b756d59
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-api.sh.tpl
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+
+{{- if .Values.manifests.certificates }}
+  for WSGI_SCRIPT in heat-wsgi-api; do
+    cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
+  done
+
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    mkdir -p ${APACHE_RUN_DIR}
+  fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+  {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+  {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+  {{- end }}
+{{- end }}
+
+  if [ -f /var/run/apache2/apache2.pid ]; then
+    # Remove the stale pid for debian/ubuntu images
+    rm -f /var/run/apache2/apache2.pid
+  fi
+  # Starts Apache2
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+  exec heat-api \
+        --config-file /etc/heat/heat.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+  kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-cfn.sh.tpl b/charts/heat/templates/bin/_heat-cfn.sh.tpl
new file mode 100644
index 0000000..757b59a
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-cfn.sh.tpl
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+  for WSGI_SCRIPT in heat-wsgi-api-cfn; do
+    cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
+  done
+
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    mkdir -p ${APACHE_RUN_DIR}
+  fi
+
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+  {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+  {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+  {{- end }}
+{{- end }}
+
+
+  if [ -f /var/run/apache2/apache2.pid ]; then
+    # Remove the stale pid for debian/ubuntu images
+    rm -f /var/run/apache2/apache2.pid
+  fi
+  # Starts Apache2
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+  exec heat-api-cfn \
+        --config-file /etc/heat/heat.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+  kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-cloudwatch.sh.tpl b/charts/heat/templates/bin/_heat-cloudwatch.sh.tpl
new file mode 100644
index 0000000..6bf15ff
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-cloudwatch.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec heat-api-cloudwatch \
+        --config-file /etc/heat/heat.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-engine-cleaner.sh.tpl b/charts/heat/templates/bin/_heat-engine-cleaner.sh.tpl
new file mode 100644
index 0000000..d19decc
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-engine-cleaner.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+heat-manage service clean
diff --git a/charts/heat/templates/bin/_heat-engine.sh.tpl b/charts/heat/templates/bin/_heat-engine.sh.tpl
new file mode 100644
index 0000000..30fdff3
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-engine.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+COMMAND="${@:-start}"
+
+function start () {
+    exec heat-engine \
+          --config-file /etc/heat/heat.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-purge-deleted-active.sh.tpl b/charts/heat/templates/bin/_heat-purge-deleted-active.sh.tpl
new file mode 100644
index 0000000..1514171
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-purge-deleted-active.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+heat-manage purge_deleted -g minutes "$1"
diff --git a/charts/heat/templates/bin/_trusts.sh.tpl b/charts/heat/templates/bin/_trusts.sh.tpl
new file mode 100644
index 0000000..837ec00
--- /dev/null
+++ b/charts/heat/templates/bin/_trusts.sh.tpl
@@ -0,0 +1,48 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -ex
+
+# Get IDs for filtering
+OS_PROJECT_ID=$(openstack project show -f value -c id ${OS_PROJECT_NAME})
+OS_USER_ID=$(openstack user show -f value -c id ${OS_USERNAME})
+SERVICE_OS_TRUSTEE_ID=$(openstack user show -f value -c id --domain ${SERVICE_OS_TRUSTEE_DOMAIN} ${SERVICE_OS_TRUSTEE})
+
+# Check if trust doesn't already exist
+openstack trust list -f value -c "Project ID" \
+          -c "Trustee User ID" -c "Trustor User ID" | \
+          grep "^${OS_PROJECT_ID} ${SERVICE_OS_TRUSTEE_ID} ${OS_USER_ID}$" && \
+          exit 0
+
+# If there are no roles specified...
+if [ -z "${SERVICE_OS_ROLES}" ]; then
+    # ...Heat will try to delegate all of the roles that user has in the
+    # project. Let's fetch them all and use that.
+    readarray -t roles < <(openstack role assignment list -f value \
+            -c "Role" --user="${OS_USERNAME}" --project="${OS_PROJECT_ID}")
+else
+    # Split roles into an array
+    IFS=',' read -r -a roles <<< "${SERVICE_OS_ROLES}"
+fi
+
+# Create trust between trustor and trustee
+SERVICE_OS_TRUST_ID=$(openstack trust create -f value -c id \
+          --project="${OS_PROJECT_NAME}" \
+          ${roles[@]/#/--role=} \
+          --trustee-domain="${SERVICE_OS_TRUSTEE_DOMAIN}" \
+          "${OS_USERNAME}" \
+          "${SERVICE_OS_TRUSTEE}")
+
+# Display trust
+openstack trust show "${SERVICE_OS_TRUST_ID}"
diff --git a/charts/heat/templates/certificates.yaml b/charts/heat/templates/certificates.yaml
new file mode 100644
index 0000000..353dfd6
--- /dev/null
+++ b/charts/heat/templates/certificates.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{  dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/heat/templates/configmap-bin.yaml b/charts/heat/templates/configmap-bin.yaml
new file mode 100644
index 0000000..8278e7d
--- /dev/null
+++ b/charts/heat/templates/configmap-bin.yaml
@@ -0,0 +1,64 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: heat-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  ks-domain-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
+  trusts.sh: |
+{{ tuple "bin/_trusts.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  heat-api.sh: |
+{{ tuple "bin/_heat-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  heat-cfn.sh: |
+{{ tuple "bin/_heat-cfn.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  heat-cloudwatch.sh: |
+{{ tuple "bin/_heat-cloudwatch.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  heat-engine.sh: |
+{{ tuple "bin/_heat-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  heat-engine-cleaner.sh: |
+{{ tuple "bin/_heat-engine-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  heat-purge-deleted-active.sh: |
+{{ tuple "bin/_heat-purge-deleted-active.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/heat/templates/configmap-etc.yaml b/charts/heat/templates/configmap-etc.yaml
new file mode 100644
index 0000000..d5716e1
--- /dev/null
+++ b/charts/heat/templates/configmap-etc.yaml
@@ -0,0 +1,153 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "region_name" .Values.endpoints.identity.auth.heat.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "project_name" .Values.endpoints.identity.auth.heat.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.heat.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.heat.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "username" .Values.endpoints.identity.auth.heat.username -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "password" .Values.endpoints.identity.auth.heat.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.trustee.region_name -}}
+{{- $_ := set .Values.conf.heat.trustee "region_name" .Values.endpoints.identity.auth.heat_trustee.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.user_domain_name -}}
+{{- $_ := set .Values.conf.heat.trustee "user_domain_name" .Values.endpoints.identity.auth.heat_trustee.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.username -}}
+{{- $_ := set .Values.conf.heat.trustee "username" .Values.endpoints.identity.auth.heat_trustee.username -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.password -}}
+{{- $_ := set .Values.conf.heat.trustee "password" .Values.endpoints.identity.auth.heat_trustee.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.stack_user_domain_name -}}
+{{- $_ := set .Values.conf.heat.DEFAULT "stack_user_domain_name" .Values.endpoints.identity.auth.heat_stack_user.domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.DEFAULT.stack_domain_admin -}}
+{{- $_ := set .Values.conf.heat.DEFAULT "stack_domain_admin" .Values.endpoints.identity.auth.heat_stack_user.username -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.DEFAULT.stack_domain_admin_password -}}
+{{- $_ := set .Values.conf.heat.DEFAULT "stack_domain_admin_password" .Values.endpoints.identity.auth.heat_stack_user.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.heat.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.heat.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "heat" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.heat.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.heat_metadata_server_url -}}
+{{- $_ := tuple "cloudformation" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.cloudformation.path.default | set .Values.conf.heat.DEFAULT "heat_metadata_server_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.heat_waitcondition_server_url -}}
+{{- $_ := cat (tuple "cloudformation" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup") "waitcondition" | replace " " "/" | set .Values.conf.heat.DEFAULT "heat_waitcondition_server_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.heat_watch_server_url -}}
+{{- $_ := tuple "cloudwatch" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix "/" | set .Values.conf.heat.DEFAULT "heat_watch_server_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.clients_keystone.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | set .Values.conf.heat.clients_keystone "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.trustee.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | set .Values.conf.heat.trustee "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.heat_api.bind_port -}}
+{{- $_ := tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.heat_api_cloudwatch.bind_port -}}
+{{- $_ := tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cloudwatch "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.heat_api_cfn.bind_port -}}
+{{- $_ := tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cfn "bind_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: heat-etc
+type: Opaque
+data:
+  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+  heat.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.heat | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_heat "key" "wsgi-heat.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cfn "key" "wsgi-cnf.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
+  {{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/templates/cron-job-engine-cleaner.yaml b/charts/heat/templates/cron-job-engine-cleaner.yaml
new file mode 100644
index 0000000..1e7e6f3
--- /dev/null
+++ b/charts/heat/templates/cron-job-engine-cleaner.yaml
@@ -0,0 +1,105 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_engine_cleaner }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_engine_cleaner := .Values.pod.mounts.heat_engine_cleaner.heat_engine_cleaner }}
+{{- $mounts_heat_engine_cleaner_init := .Values.pod.mounts.heat_engine_cleaner.init_container }}
+
+{{- $serviceAccountName := "heat-engine-cleaner" }}
+{{ tuple $envAll "engine_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: heat-engine-cleaner
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.engine_cleaner.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.failed }}
+  {{- if .Values.jobs.engine_cleaner.starting_deadline }}
+  startingDeadlineSeconds: {{ .Values.jobs.engine_cleaner.starting_deadline }}
+  {{- end }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "heat-engine-cleaner" "containerNames" (list "heat-engine-cleaner" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "heat" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+          annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 12 }}
+            configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+            configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-engine-cleaner" "containerNames" (list "heat-engine-cleaner" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "engine_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          initContainers:
+{{ tuple $envAll "engine_cleaner" $mounts_heat_engine_cleaner_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          containers:
+            - name: heat-engine-cleaner
+{{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+              command:
+                - /tmp/heat-engine-cleaner.sh
+              volumeMounts:
+              - name: pod-tmp
+                mountPath: /tmp
+              - name: heat-bin
+                mountPath: /tmp/heat-engine-cleaner.sh
+                subPath: heat-engine-cleaner.sh
+                readOnly: true
+              - name: etcheat
+                mountPath: /etc/heat
+              - name: heat-etc
+                mountPath: /etc/heat/heat.conf
+                subPath: heat.conf
+                readOnly: true
+              {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+              - name: heat-etc
+                mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+                subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+                readOnly: true
+              {{ end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
+{{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etcheat
+              emptyDir: {}
+            - name: heat-etc
+              secret:
+                secretName: heat-etc
+                defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+            - name: heat-bin
+              configMap:
+                name: heat-bin
+                defaultMode: 0555
+{{ if $mounts_heat_engine_cleaner.volumes }}{{ toYaml $mounts_heat_engine_cleaner.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/cron-job-purge-deleted.yaml b/charts/heat/templates/cron-job-purge-deleted.yaml
new file mode 100644
index 0000000..dd275d7
--- /dev/null
+++ b/charts/heat/templates/cron-job-purge-deleted.yaml
@@ -0,0 +1,99 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_purge_deleted }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_purge_deleted := .Values.pod.mounts.heat_purge_deleted.heat_purge_deleted }}
+{{- $mounts_heat_purge_deleted_init := .Values.pod.mounts.heat_purge_deleted.init_container }}
+
+{{- $serviceAccountName := "heat-purge-deleted" }}
+{{ tuple $envAll "purge_deleted" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: heat-purge-deleted
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.purge_deleted.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.purge_deleted.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.purge_deleted.history.failed }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "purge-deleted" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "heat-purge-deleted" "containerNames" (list "init" "heat-purge-deleted" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "heat" "purge-deleted" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+          annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 12 }}
+{{ dict "envAll" $envAll "podName" "heat-purge-deleted" "containerNames" (list "init" "heat-purge-deleted" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          initContainers:
+{{ tuple $envAll "purge_deleted" $mounts_heat_purge_deleted_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          containers:
+            - name: heat-purge-deleted
+{{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+              command:
+                - /tmp/heat-purge-deleted-active.sh
+                - {{ quote .Values.jobs.purge_deleted.purge_age }}
+              volumeMounts:
+              - name: pod-tmp
+                mountPath: /tmp
+              - name: heat-bin
+                mountPath: /tmp/heat-purge-deleted-active.sh
+                subPath: heat-purge-deleted-active.sh
+                readOnly: true
+              - name: etcheat
+                mountPath: /etc/heat
+              - name: heat-etc
+                mountPath: /etc/heat/heat.conf
+                subPath: heat.conf
+                readOnly: true
+              {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+              - name: heat-etc
+                mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+                subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+                readOnly: true
+              {{ end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
+{{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etcheat
+              emptyDir: {}
+            - name: heat-etc
+              secret:
+                secretName: heat-etc
+                defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+            - name: heat-bin
+              configMap:
+                name: heat-bin
+                defaultMode: 0555
+{{ if $mounts_heat_purge_deleted.volumes }}{{ toYaml $mounts_heat_purge_deleted.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-api.yaml b/charts/heat/templates/deployment-api.yaml
new file mode 100644
index 0000000..a17ddae
--- /dev/null
+++ b/charts/heat/templates/deployment-api.yaml
@@ -0,0 +1,145 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_api := .Values.pod.mounts.heat_api.heat_api }}
+{{- $mounts_heat_api_init := .Values.pod.mounts.heat_api.init_container }}
+
+{{- $serviceAccountName := "heat-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: heat-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-api" "containerNames" (list "heat-api" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_heat_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: heat-api
+{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/heat-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/heat-api.sh
+                  - stop
+          ports:
+            - name: h-api
+              containerPort: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 30
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-heat
+              mountPath: /etc/heat
+            - name: wsgi-heat
+              mountPath: /var/www/cgi-bin/heat
+            - name: heat-bin
+              mountPath: /tmp/heat-api.sh
+              subPath: heat-api.sh
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/heat.conf
+              subPath: heat.conf
+              readOnly: true
+            {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+            - name: heat-etc
+              mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+              readOnly: true
+            {{ end }}
+            - name: heat-etc
+              mountPath: /etc/heat/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            {{- if .Values.manifests.certificates }}
+            - name: heat-etc
+              mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
+              subPath: wsgi-heat.conf
+              readOnly: true
+            - name: heat-etc
+              mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+              subPath: mpm_event.conf
+              readOnly: true
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-heat
+          emptyDir: {}
+        - name: wsgi-heat
+          emptyDir: {}
+        - name: heat-bin
+          configMap:
+            name: heat-bin
+            defaultMode: 0555
+        - name: heat-etc
+          secret:
+            secretName: heat-etc
+            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-cfn.yaml b/charts/heat/templates/deployment-cfn.yaml
new file mode 100644
index 0000000..9fab9e6
--- /dev/null
+++ b/charts/heat/templates/deployment-cfn.yaml
@@ -0,0 +1,143 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_cfn }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_cfn := .Values.pod.mounts.heat_cfn.heat_cfn }}
+{{- $mounts_heat_cfn_init := .Values.pod.mounts.heat_cfn.init_container }}
+
+{{- $serviceAccountName := "heat-cfn" }}
+{{ tuple $envAll "cfn" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: heat-cfn
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.cfn }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-cfn" "containerNames" (list "heat-cfn" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.cfn.node_selector_key }}: {{ .Values.labels.cfn.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cfn.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "cfn" $mounts_heat_cfn_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: heat-cfn
+{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/heat-cfn.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/heat-cfn.sh
+                  - stop
+          ports:
+            - name: h-cfn
+              containerPort: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 30
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-heat
+              mountPath: /etc/heat
+            - name: wsgi-heat
+              mountPath: /var/www/cgi-bin/heat
+            - name: heat-bin
+              mountPath: /tmp/heat-cfn.sh
+              subPath: heat-cfn.sh
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/heat.conf
+              subPath: heat.conf
+              readOnly: true
+            {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+            - name: heat-etc
+              mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+              readOnly: true
+            {{ end }}
+            - name: heat-etc
+              mountPath: /etc/heat/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            {{- if .Values.manifests.certificates }}
+            - name: heat-etc
+              mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
+              subPath: wsgi-cnf.conf
+              readOnly: true
+            - name: heat-etc
+              mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+              subPath: mpm_event.conf
+              readOnly: true
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-heat
+          emptyDir: {}
+        - name: wsgi-heat
+          emptyDir: {}
+        - name: heat-bin
+          configMap:
+            name: heat-bin
+            defaultMode: 0555
+        - name: heat-etc
+          secret:
+            secretName: heat-etc
+            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-cloudwatch.yaml b/charts/heat/templates/deployment-cloudwatch.yaml
new file mode 100644
index 0000000..092feac
--- /dev/null
+++ b/charts/heat/templates/deployment-cloudwatch.yaml
@@ -0,0 +1,122 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_cloudwatch }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_cloudwatch := .Values.pod.mounts.heat_cloudwatch.heat_cloudwatch }}
+{{- $mounts_heat_cloudwatch_init := .Values.pod.mounts.heat_cloudwatch.init_container }}
+
+{{- $serviceAccountName := "heat-cloudwatch" }}
+{{ tuple $envAll "cloudwatch" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: heat-cloudwatch
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.cloudwatch }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.cloudwatch.node_selector_key }}: {{ .Values.labels.cloudwatch.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cloudwatch.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "cloudwatch" $mounts_heat_cloudwatch_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: heat-cloudwatch
+{{ tuple $envAll "heat_cloudwatch" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_cloudwatch" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/heat-cloudwatch.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/heat-cloudwatch.sh
+                  - stop
+          ports:
+            - name: h-cwh
+              containerPort: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-heat
+              mountPath: /etc/heat
+            - name: heat-bin
+              mountPath: /tmp/heat-cloudwatch.sh
+              subPath: heat-cloudwatch.sh
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/heat.conf
+              subPath: heat.conf
+              readOnly: true
+            {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+            - name: heat-etc
+              mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+              readOnly: true
+            {{ end }}
+            - name: heat-etc
+              mountPath: /etc/heat/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+{{ if $mounts_heat_cloudwatch.volumeMounts }}{{ toYaml $mounts_heat_cloudwatch.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-heat
+          emptyDir: {}
+        - name: heat-bin
+          configMap:
+            name: heat-bin
+            defaultMode: 0555
+        - name: heat-etc
+          secret:
+            secretName: heat-etc
+            defaultMode: 0444
+{{ if $mounts_heat_cloudwatch.volumes }}{{ toYaml $mounts_heat_cloudwatch.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-engine.yaml b/charts/heat/templates/deployment-engine.yaml
new file mode 100644
index 0000000..4ae0197
--- /dev/null
+++ b/charts/heat/templates/deployment-engine.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if or ( .Values.manifests.deployment_engine ) ( .Values.manifests.statefulset_engine ) }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_engine := .Values.pod.mounts.heat_engine.heat_engine }}
+{{- $mounts_heat_engine_init := .Values.pod.mounts.heat_engine.init_container }}
+
+{{- $serviceAccountName := "heat-engine" }}
+{{ tuple $envAll "engine" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+metadata:
+  name: heat-engine
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if .Values.manifests.deployment_engine }}
+kind: Deployment
+spec:
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+{{- else if .Values.manifests.statefulset_engine }}
+kind: StatefulSet
+spec:
+  serviceName: heat-engine
+{{- end }}
+  replicas: {{ .Values.pod.replicas.engine }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if .Values.manifests.deployment_engine }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-engine" "containerNames" (list "heat-engine" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.engine.node_selector_key }}: {{ .Values.labels.engine.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.engine.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "engine" $mounts_heat_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: heat-engine
+{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/heat-engine.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/heat-engine.sh
+                  - stop
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-etc-heat
+              mountPath: /etc/heat
+            - name: heat-bin
+              mountPath: /tmp/heat-engine.sh
+              subPath: heat-engine.sh
+              readOnly: true
+            - name: heat-etc
+              mountPath: /etc/heat/heat.conf
+              subPath: heat.conf
+              readOnly: true
+            {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+            - name: heat-etc
+              mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+              readOnly: true
+            {{ end }}
+            - name: heat-etc
+              mountPath: /etc/heat/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-heat
+          emptyDir: {}
+        - name: heat-bin
+          configMap:
+            name: heat-bin
+            defaultMode: 0555
+        - name: heat-etc
+          secret:
+            secretName: heat-etc
+            defaultMode: 0444
+ {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/ingress-api.yaml b/charts/heat/templates/ingress-api.yaml
new file mode 100644
index 0000000..8d5c9a0
--- /dev/null
+++ b/charts/heat/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/ingress-cfn.yaml b/charts/heat/templates/ingress-cfn.yaml
new file mode 100644
index 0000000..d965338
--- /dev/null
+++ b/charts/heat/templates/ingress-cfn.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
+{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/ingress-cloudwatch.yaml b/charts/heat/templates/ingress-cloudwatch.yaml
new file mode 100644
index 0000000..1be57f5
--- /dev/null
+++ b/charts/heat/templates/ingress-cloudwatch.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_cloudwatch .Values.network.cloudwatch.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "cloudwatch" "backendServiceType" "cloudwatch" "backendPort" "h-cwh" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/job-bootstrap.yaml b/charts/heat/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..5dfe56f
--- /dev/null
+++ b/charts/heat/templates/job-bootstrap.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
+{{- end }}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/heat/templates/job-db-drop.yaml b/charts/heat/templates/job-db-drop.yaml
new file mode 100644
index 0000000..d74fa7b
--- /dev/null
+++ b/charts/heat/templates/job-db-drop.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/heat/templates/job-db-init.yaml b/charts/heat/templates/job-db-init.yaml
new file mode 100644
index 0000000..b3b44fe
--- /dev/null
+++ b/charts/heat/templates/job-db-init.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/heat/templates/job-db-sync.yaml b/charts/heat/templates/job-db-sync.yaml
new file mode 100644
index 0000000..5670792
--- /dev/null
+++ b/charts/heat/templates/job-db-sync.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "heat" "podVolMounts" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumeMounts "podVols" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/heat/templates/job-image-repo-sync.yaml b/charts/heat/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..a9da325
--- /dev/null
+++ b/charts/heat/templates/job-image-repo-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-endpoints.yaml b/charts/heat/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..9388806
--- /dev/null
+++ b/charts/heat/templates/job-ks-endpoints.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-service.yaml b/charts/heat/templates/job-ks-service.yaml
new file mode 100644
index 0000000..5947c0e
--- /dev/null
+++ b/charts/heat/templates/job-ks-service.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-user-domain.yaml b/charts/heat/templates/job-ks-user-domain.yaml
new file mode 100644
index 0000000..a709608
--- /dev/null
+++ b/charts/heat/templates/job-ks-user-domain.yaml
@@ -0,0 +1,101 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_user_domain }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "heat-ks-user-domain" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: heat-domain-ks-user
+  labels:
+{{ tuple $envAll "heat" "ks-user-domain" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+{{- if .Values.helm3_hook }}
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-domain-ks-user" "containerNames" (list "heat-ks-domain-user" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: heat-ks-domain-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "heat_ks_domain_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ks-domain-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-domain-user.sh
+              subPath: ks-domain-user.sh
+              readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: "heat"
+            - name: SERVICE_OS_REGION_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.heat_stack_user }}
+                  key: OS_REGION_NAME
+            - name: SERVICE_OS_DOMAIN_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.heat_stack_user }}
+                  key: OS_DOMAIN_NAME
+            - name: SERVICE_OS_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.heat_stack_user }}
+                  key: OS_USERNAME
+            - name: SERVICE_OS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.heat_stack_user }}
+                  key: OS_PASSWORD
+            - name: SERVICE_OS_ROLE
+              value: {{ .Values.endpoints.identity.auth.heat_stack_user.role | quote }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+          configMap:
+            name: heat-bin
+            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-user-trustee.yaml b/charts/heat/templates/job-ks-user-trustee.yaml
new file mode 100644
index 0000000..21f1b57
--- /dev/null
+++ b/charts/heat/templates/job-ks-user-trustee.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.heat_trust" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user_trustee }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-user.yaml b/charts/heat/templates/job-ks-user.yaml
new file mode 100644
index 0000000..bf23eeb
--- /dev/null
+++ b/charts/heat/templates/job-ks-user.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/heat/templates/job-rabbit-init.yaml b/charts/heat/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..8da178b
--- /dev/null
+++ b/charts/heat/templates/job-rabbit-init.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/heat/templates/job-trusts.yaml b/charts/heat/templates/job-trusts.yaml
new file mode 100644
index 0000000..afa6bde
--- /dev/null
+++ b/charts/heat/templates/job-trusts.yaml
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $envAll := . }}
+
+{{- $mounts_heat_trusts := .Values.pod.mounts.heat_trusts.heat_trusts }}
+{{- $mounts_heat_trusts_init := .Values.pod.mounts.heat_trusts.init_container }}
+
+{{- $serviceAccountName := "heat-trusts" }}
+{{ tuple $envAll "trusts" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: heat-trusts
+  labels:
+{{ tuple $envAll "heat" "trusts" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+{{- if .Values.helm3_hook }}
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "heat" "trusts" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-trusts" "containerNames" (list "heat-trusts" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "trusts" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "trusts" $mounts_heat_trusts_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: heat-trusts
+{{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.trusts | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "trusts" "container" "heat_trusts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - bash
+            - /tmp/trusts.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: heat-bin
+              mountPath: /tmp/trusts.sh
+              subPath: trusts.sh
+              readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+              value: {{ .Values.conf.heat.DEFAULT.trusts_delegated_roles }}
+            - name: SERVICE_OS_TRUSTEE
+              value: {{ .Values.endpoints.identity.auth.heat_trustee.username }}
+            - name: SERVICE_OS_TRUSTEE_DOMAIN
+              value: {{ .Values.endpoints.identity.auth.heat_trustee.user_domain_name }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: heat-bin
+          configMap:
+            name: heat-bin
+            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
diff --git a/charts/heat/templates/network_policy.yaml b/charts/heat/templates/network_policy.yaml
new file mode 100644
index 0000000..d6a4809
--- /dev/null
+++ b/charts/heat/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "heat" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/heat/templates/pdb-api.yaml b/charts/heat/templates/pdb-api.yaml
new file mode 100644
index 0000000..284e079
--- /dev/null
+++ b/charts/heat/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: heat-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/heat/templates/pdb-cfn.yaml b/charts/heat/templates/pdb-cfn.yaml
new file mode 100644
index 0000000..52a72fb
--- /dev/null
+++ b/charts/heat/templates/pdb-cfn.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_cfn }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: heat-cfn
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.cfn.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/heat/templates/pdb-cloudwatch.yaml b/charts/heat/templates/pdb-cloudwatch.yaml
new file mode 100644
index 0000000..a0b057b
--- /dev/null
+++ b/charts/heat/templates/pdb-cloudwatch.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_cloudwatch }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: heat-cloudwatch
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.cloudwatch.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/heat/templates/pod-rally-test.yaml b/charts/heat/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..9aa6373
--- /dev/null
+++ b/charts/heat/templates/pod-rally-test.yaml
@@ -0,0 +1,115 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ print $envAll.Release.Name "-test" }}
+  labels:
+{{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  restartPolicy: Never
+  serviceAccountName: {{ $serviceAccountName }}
+  initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+    - name: {{ .Release.Name }}-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      command:
+        - /tmp/ks-user.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: heat-bin
+          mountPath: /tmp/ks-user.sh
+          subPath: ks-user.sh
+          readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_SERVICE_NAME
+          value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_ROLE
+          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+  containers:
+    - name: {{ .Release.Name }}-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: RALLY_ENV_NAME
+          value: {{.Release.Name}}
+      command:
+        - /tmp/rally-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: heat-etc
+          mountPath: /etc/rally/rally_tests.yaml
+          subPath: rally_tests.yaml
+          readOnly: true
+        - name: heat-bin
+          mountPath: /tmp/rally-test.sh
+          subPath: rally-test.sh
+          readOnly: true
+        - name: rally-db
+          mountPath: /var/lib/rally
+        {{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
+        - name: heat-etc
+          mountPath: {{ $value.name }}
+          subPath: {{ printf "test_template_%d" $key }}
+          readOnly: true
+        {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: heat-etc
+      secret:
+        secretName: heat-etc
+        defaultMode: 0444
+    - name: heat-bin
+      configMap:
+        name: heat-bin
+        defaultMode: 0555
+    - name: rally-db
+      emptyDir: {}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/secret-db.yaml b/charts/heat/templates/secret-db.yaml
new file mode 100644
index 0000000..ef020d1
--- /dev/null
+++ b/charts/heat/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "heat" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/templates/secret-ingress-tls.yaml b/charts/heat/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..33707fa
--- /dev/null
+++ b/charts/heat/templates/secret-ingress-tls.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "orchestration" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" ) }}
+{{- end }}
diff --git a/charts/heat/templates/secret-keystone.yaml b/charts/heat/templates/secret-keystone.yaml
new file mode 100644
index 0000000..d6758ce
--- /dev/null
+++ b/charts/heat/templates/secret-keystone.yaml
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "heat" "heat_trustee" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $envAll.Values.secrets.identity.heat_stack_user }}
+type: Opaque
+data:
+  OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+  OS_REGION_NAME: {{ .Values.endpoints.identity.auth.heat_stack_user.region_name | b64enc }}
+  OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.heat_stack_user.domain_name | b64enc }}
+  OS_USERNAME: {{ .Values.endpoints.identity.auth.heat_stack_user.username | b64enc }}
+  OS_PASSWORD: {{ .Values.endpoints.identity.auth.heat_stack_user.password | b64enc }}
+{{- end }}
diff --git a/charts/heat/templates/secret-rabbitmq.yaml b/charts/heat/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..ca1ea8c
--- /dev/null
+++ b/charts/heat/templates/secret-rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "heat" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/templates/service-api.yaml b/charts/heat/templates/service-api.yaml
new file mode 100644
index 0000000..fd0aadf
--- /dev/null
+++ b/charts/heat/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "orchestration" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: h-api
+      port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+      nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.api.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/heat/templates/service-cfn.yaml b/charts/heat/templates/service-cfn.yaml
new file mode 100644
index 0000000..568c1db
--- /dev/null
+++ b/charts/heat/templates/service-cfn.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_cfn }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "cloudformation" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: h-cfn
+      port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.cfn.node_port.enabled }}
+      nodePort: {{ .Values.network.cfn.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.cfn.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/heat/templates/service-cloudwatch.yaml b/charts/heat/templates/service-cloudwatch.yaml
new file mode 100644
index 0000000..4978371
--- /dev/null
+++ b/charts/heat/templates/service-cloudwatch.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_cloudwatch }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "cloudwatch" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: h-cwh
+      port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.cloudwatch.node_port.enabled }}
+      nodePort: {{ .Values.network.cloudwatch.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.cloudwatch.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/heat/templates/service-ingress-api.yaml b/charts/heat/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..d4e9982
--- /dev/null
+++ b/charts/heat/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "orchestration" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/service-ingress-cfn.yaml b/charts/heat/templates/service-ingress-cfn.yaml
new file mode 100644
index 0000000..41f6a87
--- /dev/null
+++ b/charts/heat/templates/service-ingress-cfn.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_cfn .Values.network.cfn.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "cloudformation" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/service-ingress-cloudwatch.yaml b/charts/heat/templates/service-ingress-cloudwatch.yaml
new file mode 100644
index 0000000..1ebd9d6
--- /dev/null
+++ b/charts/heat/templates/service-ingress-cloudwatch.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_cloudwatch .Values.network.cloudwatch.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "cloudwatch" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/heat/values.yaml b/charts/heat/values.yaml
new file mode 100644
index 0000000..58f786b
--- /dev/null
+++ b/charts/heat/values.yaml
@@ -0,0 +1,1338 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for heat.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  cfn:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  cloudwatch:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  engine:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  tags:
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    heat_db_sync: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    heat_api: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    heat_cfn: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    heat_cloudwatch: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    heat_engine: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    heat_engine_cleaner: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    heat_purge_deleted: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+jobs:
+  engine_cleaner:
+    cron: "*/5 * * * *"
+    starting_deadline: 600
+    history:
+      success: 3
+      failed: 1
+
+  purge_deleted:
+    cron: "20 */24 * * *"
+    purge_age: 60
+    history:
+      success: 3
+      failed: 1
+
+conf:
+  rally_tests:
+    run_tempest: false
+    tests:
+      HeatStacks.create_update_delete_stack:
+        - args:
+            template_path: /tmp/rally-jobs/random_strings.yaml
+            updated_template_path: /tmp/rally-jobs/updated_random_strings_replace.yaml
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      HeatStacks.create_check_delete_stack:
+        - args:
+            template_path: /tmp/rally-jobs/random_strings.yaml
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      HeatStacks.create_and_delete_stack:
+        - args:
+            template_path: /tmp/rally-jobs/resource_group_with_constraint.yaml
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      HeatStacks.create_and_list_stack:
+        - args:
+            template_path: /tmp/rally-jobs/default.yaml
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      HeatStacks.create_snapshot_restore_delete_stack:
+        - args:
+            template_path: /tmp/rally-jobs/random_strings.yaml
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      HeatStacks.create_stack_and_list_output:
+        - args:
+            template_path: /tmp/rally-jobs/resource_group_with_outputs.yaml
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      HeatStacks.create_stack_and_list_output_via_API:
+        - args:
+            template_path: /tmp/rally-jobs/resource_group_with_outputs.yaml
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+    templates:
+      - name: /tmp/rally-jobs/default.yaml
+        template: |
+          heat_template_version: 2014-10-16
+      - name: /tmp/rally-jobs/random_strings.yaml
+        template: |
+          heat_template_version: 2014-10-16
+          description: Test template for rally create-update-delete scenario
+          resources:
+            test_string_one:
+              type: OS::Heat::RandomString
+              properties:
+                length: 20
+            test_string_two:
+              type: OS::Heat::RandomString
+              properties:
+                length: 20
+      - name: /tmp/rally-jobs/resource_group_with_constraint.yaml
+        template: |
+          heat_template_version: 2013-05-23
+          description: Template for testing caching.
+          parameters:
+            count:
+              type: number
+              default: 40
+            delay:
+              type: number
+              default: 0.1
+          resources:
+            rg:
+              type: OS::Heat::ResourceGroup
+              properties:
+                count:
+                  get_param: count
+                resource_def:
+                    type: OS::Heat::TestResource
+                    properties:
+                      constraint_prop_secs:
+                        get_param: delay
+      - name: /tmp/rally-jobs/resource_group_with_outputs.yaml
+        template: |
+          heat_template_version: 2013-05-23
+          parameters:
+            attr_wait_secs:
+              type: number
+              default: 0.5
+          resources:
+            rg:
+              type: OS::Heat::ResourceGroup
+              properties:
+                count: 10
+                resource_def:
+                  type: OS::Heat::TestResource
+                  properties:
+                    attr_wait_secs:
+                      get_param: attr_wait_secs
+          outputs:
+            val1:
+              value:
+                get_attr:
+                  - rg
+                  - resource.0.output
+            val2:
+              value:
+                get_attr:
+                  - rg
+                  - resource.1.output
+            val3:
+              value:
+                get_attr:
+                  - rg
+                  - resource.2.output
+            val4:
+              value:
+                get_attr:
+                  - rg
+                  - resource.3.output
+            val5:
+              value:
+                get_attr:
+                  - rg
+                  - resource.4.output
+            val6:
+              value:
+                get_attr:
+                  - rg
+                  - resource.5.output
+            val7:
+              value:
+                get_attr:
+                  - rg
+                  - resource.6.output
+            val8:
+              value:
+                get_attr:
+                  - rg
+                  - resource.7.output
+            val9:
+              value:
+                get_attr:
+                  - rg
+                  - resource.8.output
+            val10:
+              value:
+                get_attr:
+                  - rg
+                  - resource.9.output
+      - name: /tmp/rally-jobs/updated_random_strings_replace.yaml
+        template: |
+          heat_template_version: 2014-10-16
+          description: |
+            Test template for create-update-delete-stack scenario in rally.
+            The template deletes one resource from the stack defined by
+            random-strings.yaml.template and re-creates it with the updated parameters
+            (so-called update-replace). That happens because some parameters cannot be
+            changed without resource re-creation. The template allows to measure performance
+            of update-replace operation.
+          resources:
+            test_string_one:
+              type: OS::Heat::RandomString
+              properties:
+                length: 20
+            test_string_two:
+              type: OS::Heat::RandomString
+              properties:
+                length: 40
+  paste:
+    pipeline:heat-api:
+      pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken audit context apiv1app
+    pipeline:heat-api-standalone:
+      pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app
+    pipeline:heat-api-custombackend:
+      pipeline: cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
+    pipeline:heat-api-cfn:
+      pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken audit context apicfnv1app
+    pipeline:heat-api-cfn-standalone:
+      pipeline: cors http_proxy_to_wsgi cfnversionnegotiation ec2authtoken context apicfnv1app
+    pipeline:heat-api-cloudwatch:
+      pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken audit context apicwapp
+    pipeline:heat-api-cloudwatch-standalone:
+      pipeline: cors versionnegotiation ec2authtoken context apicwapp
+    app:apiv1app:
+      paste.app_factory: heat.common.wsgi:app_factory
+      heat.app_factory: heat.api.openstack.v1:API
+    app:apicfnv1app:
+      paste.app_factory: heat.common.wsgi:app_factory
+      heat.app_factory: heat.api.cfn.v1:API
+    app:apicwapp:
+      paste.app_factory: heat.common.wsgi:app_factory
+      heat.app_factory: heat.api.cloudwatch:API
+    filter:versionnegotiation:
+      paste.filter_factory: heat.common.wsgi:filter_factory
+      heat.filter_factory: heat.api.openstack:version_negotiation_filter
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: heat
+    filter:faultwrap:
+      paste.filter_factory: heat.common.wsgi:filter_factory
+      heat.filter_factory: heat.api.openstack:faultwrap_filter
+    filter:cfnversionnegotiation:
+      paste.filter_factory: heat.common.wsgi:filter_factory
+      heat.filter_factory: heat.api.cfn:version_negotiation_filter
+    filter:cwversionnegotiation:
+      paste.filter_factory: heat.common.wsgi:filter_factory
+      heat.filter_factory: heat.api.cloudwatch:version_negotiation_filter
+    filter:context:
+      paste.filter_factory: heat.common.context:ContextMiddleware_filter_factory
+    filter:ec2authtoken:
+      paste.filter_factory: heat.api.aws.ec2token:EC2Token_filter_factory
+    filter:http_proxy_to_wsgi:
+      paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+    filter:authurl:
+      paste.filter_factory: heat.common.auth_url:filter_factory
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:authpassword:
+      paste.filter_factory: heat.common.auth_password:filter_factory
+    filter:custombackendauth:
+      paste.filter_factory: heat.common.custom_backend_auth:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/heat/api_audit_map.conf
+    filter:request_id:
+      paste.filter_factory: oslo_middleware.request_id:RequestId.factory
+    filter:osprofiler:
+      paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+  policy:
+    context_is_admin: role:admin and is_admin_project:True
+    project_admin: role:admin
+    deny_stack_user: not role:heat_stack_user
+    deny_everybody: "!"
+    cloudformation:ListStacks: rule:deny_stack_user
+    cloudformation:CreateStack: rule:deny_stack_user
+    cloudformation:DescribeStacks: rule:deny_stack_user
+    cloudformation:DeleteStack: rule:deny_stack_user
+    cloudformation:UpdateStack: rule:deny_stack_user
+    cloudformation:CancelUpdateStack: rule:deny_stack_user
+    cloudformation:DescribeStackEvents: rule:deny_stack_user
+    cloudformation:ValidateTemplate: rule:deny_stack_user
+    cloudformation:GetTemplate: rule:deny_stack_user
+    cloudformation:EstimateTemplateCost: rule:deny_stack_user
+    cloudformation:DescribeStackResource: ''
+    cloudformation:DescribeStackResources: rule:deny_stack_user
+    cloudformation:ListStackResources: rule:deny_stack_user
+    cloudwatch:DeleteAlarms: rule:deny_stack_user
+    cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
+    cloudwatch:DescribeAlarms: rule:deny_stack_user
+    cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
+    cloudwatch:DisableAlarmActions: rule:deny_stack_user
+    cloudwatch:EnableAlarmActions: rule:deny_stack_user
+    cloudwatch:GetMetricStatistics: rule:deny_stack_user
+    cloudwatch:ListMetrics: rule:deny_stack_user
+    cloudwatch:PutMetricAlarm: rule:deny_stack_user
+    cloudwatch:PutMetricData: ''
+    cloudwatch:SetAlarmState: rule:deny_stack_user
+    actions:action: rule:deny_stack_user
+    build_info:build_info: rule:deny_stack_user
+    events:index: rule:deny_stack_user
+    events:show: rule:deny_stack_user
+    resource:index: rule:deny_stack_user
+    resource:metadata: ''
+    resource:signal: ''
+    resource:mark_unhealthy: rule:deny_stack_user
+    resource:show: rule:deny_stack_user
+    stacks:abandon: rule:deny_stack_user
+    stacks:create: rule:deny_stack_user
+    stacks:delete: rule:deny_stack_user
+    stacks:detail: rule:deny_stack_user
+    stacks:export: rule:deny_stack_user
+    stacks:generate_template: rule:deny_stack_user
+    stacks:global_index: rule:deny_everybody
+    stacks:index: rule:deny_stack_user
+    stacks:list_resource_types: rule:deny_stack_user
+    stacks:list_template_versions: rule:deny_stack_user
+    stacks:list_template_functions: rule:deny_stack_user
+    stacks:lookup: ''
+    stacks:preview: rule:deny_stack_user
+    stacks:resource_schema: rule:deny_stack_user
+    stacks:show: rule:deny_stack_user
+    stacks:template: rule:deny_stack_user
+    stacks:environment: rule:deny_stack_user
+    stacks:files: rule:deny_stack_user
+    stacks:update: rule:deny_stack_user
+    stacks:update_patch: rule:deny_stack_user
+    stacks:preview_update: rule:deny_stack_user
+    stacks:preview_update_patch: rule:deny_stack_user
+    stacks:validate_template: rule:deny_stack_user
+    stacks:snapshot: rule:deny_stack_user
+    stacks:show_snapshot: rule:deny_stack_user
+    stacks:delete_snapshot: rule:deny_stack_user
+    stacks:list_snapshots: rule:deny_stack_user
+    stacks:restore_snapshot: rule:deny_stack_user
+    stacks:list_outputs: rule:deny_stack_user
+    stacks:show_output: rule:deny_stack_user
+    software_configs:global_index: rule:deny_everybody
+    software_configs:index: rule:deny_stack_user
+    software_configs:create: rule:deny_stack_user
+    software_configs:show: rule:deny_stack_user
+    software_configs:delete: rule:deny_stack_user
+    software_deployments:index: rule:deny_stack_user
+    software_deployments:create: rule:deny_stack_user
+    software_deployments:show: rule:deny_stack_user
+    software_deployments:update: rule:deny_stack_user
+    software_deployments:delete: rule:deny_stack_user
+    software_deployments:metadata: ''
+    service:index: rule:context_is_admin
+    resource_types:OS::Nova::Flavor: rule:project_admin
+    resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
+    resource_types:OS::Cinder::VolumeType: rule:project_admin
+    resource_types:OS::Cinder::Quota: rule:project_admin
+    resource_types:OS::Manila::ShareType: rule:project_admin
+    resource_types:OS::Neutron::QoSPolicy: rule:project_admin
+    resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
+    resource_types:OS::Nova::HostAggregate: rule:project_admin
+    resource_types:OS::Cinder::QoSSpecs: rule:project_admin
+  heat:
+    DEFAULT:
+      log_config_append: /etc/heat/logging.conf
+      num_engine_workers: 1
+      trusts_delegated_roles: ""
+      host: heat-engine
+    keystone_authtoken:
+      auth_type: password
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+    database:
+      max_retries: -1
+    trustee:
+      auth_type: password
+      auth_version: v3
+    heat_api:
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      bind_port: null
+      workers: 1
+    heat_api_cloudwatch:
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      bind_port: null
+      workers: 1
+    heat_api_cfn:
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      bind_port: null
+      workers: 1
+    paste_deploy:
+      api_paste_config: /etc/heat/api-paste.ini
+    clients:
+      endpoint_type: internalURL
+    clients_heat:
+      endpoint_type: publicURL
+    clients_keystone:
+      endpoint_type: internalURL
+    oslo_messaging_notifications:
+      driver: messagingv2
+    oslo_middleware:
+      enable_proxy_headers_parsing: true
+    oslo_messaging_rabbit:
+      rabbit_ha_queues: True
+    oslo_policy:
+      policy_file: /etc/heat/policy.yaml
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    path_keywords:
+      stacks: stack
+      resources: resource
+      preview: None
+      detail: None
+      abandon: None
+      snapshots: snapshot
+      restore: None
+      outputs: output
+      metadata: server
+      signal: None
+      events: event
+      template: None
+      template_versions: template_version
+      functions: None
+      validate: None
+      resource_types: resource_type
+      build_info: None
+      actions: None
+      software_configs: software_config
+      software_deployments: software_deployment
+      services: None
+    service_endpoints:
+      orchestration:service/orchestration
+  logging:
+    loggers:
+      keys:
+        - root
+        - heat
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_heat:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: heat
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+
+  rabbitmq:
+    # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+    policies:
+      - vhost: "heat"
+        name: "ha_ttl_heat"
+        definition:
+          # mirror messges to other nodes in rmq cluster
+          ha-mode: "all"
+          ha-sync-mode: "automatic"
+          # 70s
+          message-ttl: 70000
+        priority: 0
+        apply-to: all
+        pattern: '^(?!(amq\.|reply_)).*'
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30004
+  cfn:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    node_port:
+      enabled: false
+      port: 30800
+  cloudwatch:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    node_port:
+      enabled: false
+      port: 30003
+
+bootstrap:
+  enabled: true
+  ks_user: admin
+  script: |
+    #NOTE(portdirect): The Orchestration service automatically assigns the
+    # 'heat_stack_user' role to users that it creates during stack deployment.
+    # By default, this role restricts API operations. To avoid conflicts, do
+    # not add this role to actual users.
+    openstack role create --or-show heat_stack_user
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - heat-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs:
+        - heat-db-sync
+        - heat-rabbit-init
+        - heat-ks-user
+        - heat-trustee-ks-user
+        - heat-domain-ks-user
+        - heat-ks-endpoints
+        - heat-bootstrap
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: identity
+    cfn:
+      jobs:
+        - heat-db-sync
+        - heat-rabbit-init
+        - heat-ks-user
+        - heat-trustee-ks-user
+        - heat-domain-ks-user
+        - heat-ks-endpoints
+        - heat-bootstrap
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: identity
+    cloudwatch:
+      jobs:
+        - heat-db-sync
+        - heat-rabbit-init
+        - heat-ks-user
+        - heat-trustee-ks-user
+        - heat-domain-ks-user
+        - heat-ks-endpoints
+        - heat-bootstrap
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: identity
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - heat-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    bootstrap:
+      services:
+        - endpoint: internal
+          service: identity
+    engine:
+      jobs:
+        - heat-db-sync
+        - heat-rabbit-init
+        - heat-ks-user
+        - heat-trustee-ks-user
+        - heat-domain-ks-user
+        - heat-ks-endpoints
+        - heat-bootstrap
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: identity
+    engine_cleaner:
+      jobs:
+        - heat-db-sync
+        - heat-ks-user
+        - heat-trustee-ks-user
+        - heat-domain-ks-user
+        - heat-ks-endpoints
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: identity
+    purge_deleted:
+      jobs:
+        - heat-db-sync
+        - heat-ks-user
+        - heat-trustee-ks-user
+        - heat-domain-ks-user
+        - heat-ks-endpoints
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: identity
+    ks_endpoints:
+      jobs:
+        - heat-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+    trusts:
+      jobs:
+        - heat-ks-user
+        - heat-trustee-ks-user
+        - heat-domain-ks-user
+      services:
+        - endpoint: internal
+          service: identity
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+    tests:
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: orchestration
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: heat-keystone-admin
+    heat: heat-keystone-user
+    heat_trustee: heat-keystone-trustee
+    heat_stack_user: heat-keystone-stack-user
+    test: heat-keystone-test
+  oslo_db:
+    admin: heat-db-admin
+    heat: heat-db-user
+  oslo_messaging:
+    admin: heat-rabbitmq-admin
+    heat: heat-rabbitmq-user
+  tls:
+    orchestration:
+      api:
+        public: heat-tls-public
+        internal: heat-tls-api
+    cloudformation:
+      cfn:
+        public: cloudformation-tls-public
+        internal: heat-tls-cfn
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      heat:
+        role: admin
+        region_name: RegionOne
+        username: heat
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      heat_trustee:
+        role: admin
+        region_name: RegionOne
+        username: heat-trust
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      heat_stack_user:
+        role: admin
+        region_name: RegionOne
+        username: heat-domain
+        password: password
+        domain_name: heat
+      test:
+        role: admin
+        region_name: RegionOne
+        username: heat-test
+        password: password
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 80
+        internal: 5000
+  orchestration:
+    name: heat
+    hosts:
+      default: heat-api
+      public: heat
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: '/v1/%(project_id)s'
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8004
+        public: 80
+  cloudformation:
+    name: heat-cfn
+    hosts:
+      default: heat-cfn
+      public: cloudformation
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: /v1
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8000
+        public: 80
+  # Cloudwatch does not get an entry in the keystone service catalog
+  cloudwatch:
+    name: heat-cloudwatch
+    hosts:
+      default: heat-cloudwatch
+      public: cloudwatch
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    type: null
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8003
+        public: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      heat:
+        username: heat
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /heat
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
+      heat:
+        username: heat
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /heat
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+pod:
+  security_context:
+    heat:
+      pod:
+        runAsUser: 42424
+      container:
+        heat_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        heat_cfn:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        heat_cloudwatch:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        heat_engine:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    trusts:
+      pod:
+        runAsUser: 42424
+      container:
+        heat_trusts:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    ks_user:
+      pod:
+        runAsUser: 42424
+      container:
+        heat_ks_domain_user:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    engine_cleaner:
+      pod:
+        runAsUser: 42424
+      container:
+        heat_engine_cleaner:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  mounts:
+    heat_api:
+      init_container: null
+      heat_api:
+        volumeMounts:
+        volumes:
+    heat_cfn:
+      init_container: null
+      heat_cfn:
+        volumeMounts:
+        volumes:
+    heat_cloudwatch:
+      init_container: null
+      heat_cloudwatch:
+        volumeMounts:
+        volumes:
+    heat_engine:
+      init_container: null
+      heat_engine:
+        volumeMounts:
+        volumes:
+    heat_bootstrap:
+      init_container: null
+      heat_bootstrap:
+        volumeMounts:
+        volumes:
+    heat_trusts:
+      init_container: null
+      heat_trusts:
+        volumeMounts:
+        volumes:
+    heat_engine_cleaner:
+      init_container: null
+      heat_engine_cleaner:
+        volumeMounts:
+        volumes:
+    heat_purge_deleted:
+      init_container: null
+      heat_purge_deleted:
+        volumeMounts:
+        volumes:
+    heat_tests:
+      init_container: null
+      heat_tests:
+        volumeMounts:
+        volumes:
+    heat_db_sync:
+      heat_db_sync:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+    cfn: 1
+    cloudwatch: 1
+    engine: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+      cfn:
+        min_available: 0
+      cloudwatch:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+      cfn:
+        timeout: 30
+      cloudwatch:
+        timeout: 30
+      engine:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    cfn:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    cloudwatch:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    engine:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      trusts:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      engine_cleaner:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      purge_deleted:
+        requests:
+          memory: "124Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+network_policy:
+  heat:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  cron_job_engine_cleaner: true
+  cron_job_purge_deleted: true
+  deployment_api: true
+  deployment_cfn: true
+  deployment_cloudwatch: false
+  deployment_engine: true
+  ingress_api: true
+  ingress_cfn: true
+  ingress_cloudwatch: false
+  job_bootstrap: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user_domain: true
+  job_ks_user_trustee: true
+  job_ks_user: true
+  job_rabbit_init: true
+  pdb_api: true
+  pdb_cfn: true
+  pdb_cloudwatch: false
+  pod_rally_test: true
+  network_policy: false
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  service_api: true
+  service_cfn: true
+  service_cloudwatch: false
+  service_ingress_api: true
+  service_ingress_cfn: true
+  service_ingress_cloudwatch: false
+  statefulset_engine: false
+...
diff --git a/charts/horizon/.helmignore b/charts/horizon/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/horizon/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/horizon/Chart.yaml b/charts/horizon/Chart.yaml
new file mode 100644
index 0000000..40de3cb
--- /dev/null
+++ b/charts/horizon/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Horizon
+home: https://docs.openstack.org/horizon/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: horizon
+sources:
+- https://opendev.org/openstack/horizon
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.24
diff --git a/charts/horizon/charts/helm-toolkit/Chart.yaml b/charts/horizon/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..d90280e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.44
diff --git a/charts/horizon/charts/helm-toolkit/requirements.yaml b/charts/horizon/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..7846895
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f fd ]]; then
+      rm -f fd
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/horizon/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_template.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/values.yaml b/charts/horizon/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/horizon/requirements.lock b/charts/horizon/requirements.lock
new file mode 100644
index 0000000..7dabb14
--- /dev/null
+++ b/charts/horizon/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.44
+digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
+generated: "2022-08-10T23:42:39.798166264Z"
diff --git a/charts/horizon/requirements.yaml b/charts/horizon/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/horizon/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/horizon/templates/bin/_db-sync.sh.tpl b/charts/horizon/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..7ef6a84
--- /dev/null
+++ b/charts/horizon/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+
+exec /tmp/manage.py migrate --noinput
diff --git a/charts/horizon/templates/bin/_django.wsgi.tpl b/charts/horizon/templates/bin/_django.wsgi.tpl
new file mode 100644
index 0000000..578ab50
--- /dev/null
+++ b/charts/horizon/templates/bin/_django.wsgi.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import logging
+import os
+import sys
+
+import pymysql
+
+pymysql.version_info = (1, 3, 13, "final", 0)
+pymysql.install_as_MySQLdb()
+
+from django.core.wsgi import get_wsgi_application
+from django.conf import settings
+
+# Add this file path to sys.path in order to import settings
+sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(__file__)), '../..'))
+os.environ['DJANGO_SETTINGS_MODULE'] = 'openstack_dashboard.settings'
+sys.stdout = sys.stderr
+
+DEBUG = False
+
+application = get_wsgi_application()
diff --git a/charts/horizon/templates/bin/_horizon.sh.tpl b/charts/horizon/templates/bin/_horizon.sh.tpl
new file mode 100644
index 0000000..1fedecd
--- /dev/null
+++ b/charts/horizon/templates/bin/_horizon.sh.tpl
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+  rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+  ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+  ln -s  ${SITE_PACKAGES_ROOT}/openstack_dashboard/conf/default_policies  /etc/openstack-dashboard/default_policies
+  {{- range $key, $value := .Values.conf.horizon.local_settings_d }}
+  ln -s /etc/openstack-dashboard/local_settings.d/{{ $key }}.py ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.d/{{ $key }}.py
+  {{- end }}
+  # wsgi/horizon-http needs open files here, including secret_key_store
+  chown -R horizon ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/
+
+  {{- if .Values.conf.software.apache2.a2enmod }}
+    {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+    {{- end }}
+  {{- end }}
+
+  {{- if .Values.conf.software.apache2.a2dismod }}
+    {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+    {{- end }}
+  {{- end }}
+
+  if [ -f /etc/apache2/envvars ]; then
+     # Loading Apache2 ENV variables
+     source /etc/apache2/envvars
+     # The directory below has to be created due to the fact that
+     # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi
+     if [ ! -d ${APACHE_RUN_DIR} ]; then
+        mkdir -p ${APACHE_RUN_DIR}
+     fi
+  fi
+  rm -rf /var/run/apache2/*
+  APACHE_DIR="apache2"
+
+  # Add extra panels if available
+  {{- range .Values.conf.horizon.extra_panels }}
+  PANEL_DIR="${SITE_PACKAGES_ROOT}/{{ . }}/enabled"
+  if [ -d ${PANEL_DIR} ];then
+    for panel in `ls -1 ${PANEL_DIR}/_[1-9]*.py`
+    do
+      ln -s ${panel} ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/enabled/$(basename ${panel})
+    done
+  fi
+  unset PANEL_DIR
+  {{- end }}
+
+  # If the image has support for it, compile the translations
+  if type -p gettext >/dev/null 2>/dev/null; then
+    cd ${SITE_PACKAGES_ROOT}/openstack_dashboard; /tmp/manage.py compilemessages
+    # if there are extra panels and the image has support for it, compile the translations
+    {{- range .Values.conf.horizon.extra_panels }}
+    PANEL_DIR="${SITE_PACKAGES_ROOT}/{{ . }}"
+    if [ -d ${PANEL_DIR} ]; then
+      cd ${PANEL_DIR}; /tmp/manage.py compilemessages
+    fi
+    {{- end }}
+    unset PANEL_DIR
+  fi
+
+  # Copy custom logo images
+  {{- if .Values.manifests.configmap_logo }}
+  cp /tmp/favicon.ico ${SITE_PACKAGES_ROOT}/openstack_dashboard/static/dashboard/img/favicon.ico
+  cp /tmp/logo.svg ${SITE_PACKAGES_ROOT}/openstack_dashboard/static/dashboard/img/logo.svg
+  cp /tmp/logo-splash.svg ${SITE_PACKAGES_ROOT}/openstack_dashboard/static/dashboard/img/logo-splash.svg
+  {{- end }}
+
+  # Compress Horizon's assets.
+  /tmp/manage.py collectstatic --noinput
+  /tmp/manage.py compress --force
+  rm -rf /tmp/_tmp_.secret_key_store.lock /tmp/.secret_key_store
+  chmod +x ${SITE_PACKAGES_ROOT}/django/core/wsgi.py
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/horizon/templates/bin/_manage.py.tpl b/charts/horizon/templates/bin/_manage.py.tpl
new file mode 100644
index 0000000..a49cffe
--- /dev/null
+++ b/charts/horizon/templates/bin/_manage.py.tpl
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import os
+import sys
+
+import pymysql
+pymysql.version_info = (1, 3, 13, "final", 0)
+pymysql.install_as_MySQLdb()
+
+from django.core.management import execute_from_command_line
+
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE",
+                          "openstack_dashboard.settings")
+    execute_from_command_line(sys.argv)
diff --git a/charts/horizon/templates/bin/_selenium-test.py.tpl b/charts/horizon/templates/bin/_selenium-test.py.tpl
new file mode 100644
index 0000000..14cae8a
--- /dev/null
+++ b/charts/horizon/templates/bin/_selenium-test.py.tpl
@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+import os
+import sys
+import logging
+
+from selenium import webdriver
+from selenium.webdriver.common.by import By
+from selenium.webdriver.support.ui import WebDriverWait
+from selenium.webdriver.support import expected_conditions as EC
+from selenium.webdriver.chrome.options import Options
+from selenium.common.exceptions import TimeoutException
+from selenium.common.exceptions import NoSuchElementException
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('Horizon Selenium Tests')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter(
+    '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+def get_variable(env_var):
+    if env_var in os.environ:
+        logger.info('Found "{}"'.format(env_var))
+        return os.environ[env_var]
+    else:
+        logger.critical('Variable "{}" is not defined!'.format(env_var))
+        sys.exit(1)
+
+
+keystone_user = get_variable('OS_USERNAME')
+keystone_password = get_variable('OS_PASSWORD')
+horizon_uri = get_variable('HORIZON_URI')
+user_domain_name = get_variable('OS_USER_DOMAIN_NAME')
+
+# Add options to make chrome browser headless
+options = Options()
+options.add_argument('--headless')
+options.add_argument('--no-sandbox')
+chrome_driver = '/etc/selenium/chromedriver'
+browser = webdriver.Chrome(chrome_driver, chrome_options=options)
+
+try:
+    logger.info('Attempting to connect to Horizon')
+    browser.get(horizon_uri)
+    el = WebDriverWait(browser, 15).until(
+        EC.title_contains('OpenStack Dashboard')
+    )
+    logger.info('Connected to Horizon')
+except TimeoutException:
+    logger.critical('Timed out waiting for Horizon')
+    browser.quit()
+    sys.exit(1)
+
+try:
+    logger.info('Attempting to log into Horizon')
+    browser.find_element_by_name('domain').send_keys(user_domain_name)
+    browser.find_element_by_name('username').send_keys(keystone_user)
+    browser.find_element_by_name('password').send_keys(keystone_password)
+    browser.find_element_by_id('loginBtn').click()
+    WebDriverWait(browser, 15).until(
+        EC.presence_of_element_located((By.ID, 'navbar-collapse'))
+    )
+    logger.info("Successfully logged into Horizon")
+except (TimeoutException, NoSuchElementException):
+    logger.error('Failed to login to Horizon')
+    browser.quit()
+    sys.exit(1)
+
+browser.quit()
diff --git a/charts/horizon/templates/certificates.yaml b/charts/horizon/templates/certificates.yaml
new file mode 100644
index 0000000..8dbb884
--- /dev/null
+++ b/charts/horizon/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/horizon/templates/configmap-bin.yaml b/charts/horizon/templates/configmap-bin.yaml
new file mode 100644
index 0000000..5107499
--- /dev/null
+++ b/charts/horizon/templates/configmap-bin.yaml
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: horizon-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  horizon.sh: |
+{{ tuple "bin/_horizon.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  manage.py: |
+{{ tuple "bin/_manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  django.wsgi: |
+{{ tuple "bin/_django.wsgi.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  selenium-test.py: |
+{{ tuple "bin/_selenium-test.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/horizon/templates/configmap-etc.yaml b/charts/horizon/templates/configmap-etc.yaml
new file mode 100644
index 0000000..d02cf2b
--- /dev/null
+++ b/charts/horizon/templates/configmap-etc.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: horizon-etc
+type: Opaque
+data:
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.apache "key" "horizon.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.local_settings.template "key" "local_settings" "format" "Secret" ) | indent 2 }}
+{{- if .Values.conf.horizon.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- range $key, $value := .Values.conf.horizon.policy }}
+  {{ printf "%s_policy.json" $key }}: {{ $value | toPrettyJson | b64enc }}
+{{- end }}
+{{- range $key, $value := .Values.conf.horizon.policy }}
+  {{ printf "%s_policy.yaml" $key }}: {{ toYaml $value | b64enc }}
+{{- end }}
+{{- range $key, $value := .Values.conf.horizon.local_settings_d }}
+  {{ printf "%s.py" $key }}: {{ $value | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/templates/configmap-logo.yaml b/charts/horizon/templates/configmap-logo.yaml
new file mode 100644
index 0000000..4f67f01
--- /dev/null
+++ b/charts/horizon/templates/configmap-logo.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_logo }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: horizon-logo
+binaryData:
+  favicon.ico: {{ .Values.conf.horizon.branding.favicon }}
+data:
+  logo-splash.svg: {{ .Values.conf.horizon.branding.logo_splash | nindent 4 }}
+  logo.svg: {{ .Values.conf.horizon.branding.logo | nindent 4 }}
+{{- end }}
diff --git a/charts/horizon/templates/deployment.yaml b/charts/horizon/templates/deployment.yaml
new file mode 100644
index 0000000..e3978c5
--- /dev/null
+++ b/charts/horizon/templates/deployment.yaml
@@ -0,0 +1,186 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+
+{{- $mounts_horizon := .Values.pod.mounts.horizon.horizon }}
+{{- $mounts_horizon_init := .Values.pod.mounts.horizon.init_container }}
+
+{{- $serviceAccountName := "horizon" }}
+{{ tuple $envAll "dashboard" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: horizon
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.server }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "horizon" "containerNames" (list "horizon" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "horizon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.dashboard.node_selector_key }}: {{ .Values.labels.dashboard.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.horizon.enabled }}
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.horizon.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "dashboard" $mounts_horizon_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: horizon
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "horizon" "container" "horizon" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/horizon.sh
+            - start
+          env:
+          - name: MY_POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/horizon.sh
+                  - stop
+          ports:
+            - name: web
+              containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            httpGet:
+              scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 180
+            periodSeconds: 60
+            timeoutSeconds: 5
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: static-horizon
+              mountPath: /var/www/html/
+            - name: horizon-bin
+              mountPath: /tmp/horizon.sh
+              subPath: horizon.sh
+              readOnly: true
+            - name: horizon-bin
+              mountPath: /tmp/manage.py
+              subPath: manage.py
+              readOnly: true
+            - name: horizon-etc
+              mountPath: {{ .Values.conf.software.apache2.site_dir }}/000-default.conf
+              subPath: horizon.conf
+              readOnly: true
+            {{- if .Values.conf.horizon.security }}
+            - name: horizon-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+              subPath: security.conf
+              readOnly: true
+            {{- end }}
+            - name: horizon-bin
+              mountPath: /var/www/cgi-bin/horizon/django.wsgi
+              subPath: django.wsgi
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/local_settings
+              subPath: local_settings
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.horizon.policy }}
+            {{- $policyYamlFile := printf "/etc/openstack-dashboard/%s_policy.yaml" $key }}
+            - name: horizon-etc
+              mountPath: {{ $policyYamlFile }}
+              subPath: {{ base $policyYamlFile }}
+              readOnly: true
+            {{- end }}
+            {{- range $key, $value := $envAll.Values.conf.horizon.policy }}
+            {{- $policyJsonFile := printf "/etc/openstack-dashboard/%s_policy.json" $key }}
+            - name: horizon-etc
+              mountPath: {{ $policyJsonFile }}
+              subPath: {{ base $policyJsonFile }}
+              readOnly: true
+            {{- end }}
+            {{- range $key, $value := $envAll.Values.conf.horizon.local_settings_d }}
+            {{- $localSettingsFile := printf "/etc/openstack-dashboard/local_settings.d/%s.py" $key }}
+            - name: horizon-etc
+              mountPath: {{ $localSettingsFile }}
+              subPath: {{ base $localSettingsFile }}
+              readOnly: true
+            {{- end }}
+            {{- if .Values.manifests.configmap_logo }}
+            - name: horizon-logo
+              mountPath: /tmp/logo.svg
+              subPath: logo.svg
+            - name: horizon-logo
+              mountPath: /tmp/logo-splash.svg
+              subPath: logo-splash.svg
+            - name: horizon-logo
+              mountPath: /tmp/favicon.ico
+              subPath: favicon.ico
+            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: wsgi-horizon
+          emptyDir: {}
+        - name: static-horizon
+          emptyDir: {}
+        - name: horizon-bin
+          configMap:
+            name: horizon-bin
+            defaultMode: 0555
+        - name: horizon-etc
+          secret:
+            secretName: horizon-etc
+            defaultMode: 0444
+        {{- if .Values.manifests.configmap_logo }}
+        - name: horizon-logo
+          configMap:
+            name: horizon-logo
+        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/horizon/templates/ingress-api.yaml b/charts/horizon/templates/ingress-api.yaml
new file mode 100644
index 0000000..252ac52
--- /dev/null
+++ b/charts/horizon/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
+{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/horizon/templates/job-db-drop.yaml b/charts/horizon/templates/job-db-drop.yaml
new file mode 100644
index 0000000..6f761d7
--- /dev/null
+++ b/charts/horizon/templates/job-db-drop.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.horizon.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/horizon/templates/job-db-init.yaml b/charts/horizon/templates/job-db-init.yaml
new file mode 100644
index 0000000..67169b5
--- /dev/null
+++ b/charts/horizon/templates/job-db-init.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
+{{- $dbInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.horizon.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/horizon/templates/job-db-sync.yaml b/charts/horizon/templates/job-db-sync.yaml
new file mode 100644
index 0000000..c2229cd
--- /dev/null
+++ b/charts/horizon/templates/job-db-sync.yaml
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $envAll := . }}
+
+{{- $mounts_horizon_db_sync := .Values.pod.mounts.horizon_db_sync.horizon_db_sync }}
+{{- $mounts_horizon_db_sync_init := .Values.pod.mounts.horizon_db_sync.init_container }}
+
+{{- $serviceAccountName := "horizon-db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: horizon-db-sync
+  labels:
+{{ tuple $envAll "horizon" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+{{- if .Values.helm3_hook }}
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "-4"
+{{- end }}
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "horizon" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "horizon-db-sync" "containerNames" (list "horizon-db-sync" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "db_sync" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.horizon.enabled }}
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      initContainers:
+{{ tuple $envAll "db_sync" $mounts_horizon_db_sync_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: horizon-db-sync
+{{ tuple $envAll "horizon_db_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "db_sync" "container" "horizon_db_sync" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/db-sync.sh
+          volumeMounts:
+          - name: horizon-etc
+            mountPath: /etc/openstack-dashboard/local_settings
+            subPath: local_settings
+            readOnly: true
+          - name: horizon-bin
+            mountPath: /tmp/db-sync.sh
+            subPath: db-sync.sh
+            readOnly: true
+          - name: horizon-bin
+            mountPath: /tmp/manage.py
+            subPath: manage.py
+            readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 10 }}
+{{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }}
+      volumes:
+      - name: horizon-etc
+        secret:
+          secretName: horizon-etc
+          defaultMode: 0444
+      - name: horizon-bin
+        configMap:
+          name: horizon-bin
+          defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 6 }}
+{{ if $mounts_horizon_db_sync.volumes }}{{ toYaml $mounts_horizon_db_sync.volumes | indent 6 }}{{ end }}
+{{- end }}
diff --git a/charts/horizon/templates/job-image-repo-sync.yaml b/charts/horizon/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..e98bbb2
--- /dev/null
+++ b/charts/horizon/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "horizon" -}}
+{{- if .Values.pod.tolerations.horizon.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/horizon/templates/network_policy.yaml b/charts/horizon/templates/network_policy.yaml
new file mode 100644
index 0000000..edba466
--- /dev/null
+++ b/charts/horizon/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "horizon" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/horizon/templates/pdb.yaml b/charts/horizon/templates/pdb.yaml
new file mode 100644
index 0000000..7967985
--- /dev/null
+++ b/charts/horizon/templates/pdb.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: horizon
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.horizon.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/horizon/templates/pod-helm-tests.yaml b/charts/horizon/templates/pod-helm-tests.yaml
new file mode 100644
index 0000000..dbcb9a3
--- /dev/null
+++ b/charts/horizon/templates/pod-helm-tests.yaml
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_helm_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.horizon_tests.horizon_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.horizon_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ print $envAll.Release.Name "-test" }}
+  labels:
+{{ tuple $envAll "horizon" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "horizon-test" "containerNames" (list "init" "horizon-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+  restartPolicy: Never
+  serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.horizon.enabled }}
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+  containers:
+    - name: horizon-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "horizon_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+      command:
+        - /tmp/selenium-test.py
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: HORIZON_URI
+          value: {{ tuple "dashboard" "public" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: horizon-bin
+          mountPath: /tmp/selenium-test.py
+          subPath: selenium-test.py
+          readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: horizon-bin
+      configMap:
+        name: horizon-bin
+        defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/horizon/templates/secret-db.yaml b/charts/horizon/templates/secret-db.yaml
new file mode 100644
index 0000000..cfc7dac
--- /dev/null
+++ b/charts/horizon/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "horizon" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/templates/secret-ingress-tls.yaml b/charts/horizon/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..fb37f7f
--- /dev/null
+++ b/charts/horizon/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" ) }}
+{{- end }}
diff --git a/charts/horizon/templates/secret-keystone.yaml b/charts/horizon/templates/secret-keystone.yaml
new file mode 100644
index 0000000..7286f3f
--- /dev/null
+++ b/charts/horizon/templates/secret-keystone.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- $secretName := index $envAll.Values.secrets.identity.admin }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple "admin" "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/charts/horizon/templates/service-ingress.yaml b/charts/horizon/templates/service-ingress.yaml
new file mode 100644
index 0000000..6adac84
--- /dev/null
+++ b/charts/horizon/templates/service-ingress.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress .Values.network.dashboard.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "dashboard" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/horizon/templates/service.yaml b/charts/horizon/templates/service.yaml
new file mode 100644
index 0000000..579e73f
--- /dev/null
+++ b/charts/horizon/templates/service.yaml
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "dashboard" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    {{ if .Values.network.node_port.enabled }}
+    - name: web
+      protocol: TCP
+      nodePort: {{ .Values.network.node_port.port }}
+      port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      targetPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ else }}
+    - name: web
+      protocol: TCP
+      port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      targetPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/horizon/values.yaml b/charts/horizon/values.yaml
new file mode 100644
index 0000000..4ea901b
--- /dev/null
+++ b/charts/horizon/values.yaml
@@ -0,0 +1,1381 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for horizon.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+images:
+  tags:
+    db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    horizon_db_sync: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
+    db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    horizon: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
+    test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_bionic
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+release_group: null
+
+labels:
+  dashboard:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+network:
+  dashboard:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+  external_policy_local: false
+  node_port:
+    enabled: false
+    port: 31000
+
+conf:
+  software:
+    apache2:
+      binary: apache2
+      start_parameters: -DFOREGROUND
+      site_dir: /etc/apache2/sites-available
+      conf_dir: /etc/apache2/conf-available
+      mods_dir: /etc/apache2/mods-available
+      a2enmod:
+        - headers
+        - rewrite
+      a2dismod:
+        - status
+  horizon:
+    branding:
+      logo:
+      logo_splash:
+      favicon:
+    apache: |
+      <IfVersion < 2.4>
+      Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      </IfVersion>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+      LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+      SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+      CustomLog /dev/stdout combined env=!forwarded
+      CustomLog /dev/stdout proxy env=forwarded
+
+      <VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+          WSGIScriptReloading On
+          WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
+          WSGIProcessGroup horizon-http
+          WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
+          WSGIPassAuthorization On
+          RewriteEngine on
+          RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
+          RewriteRule .* - [F]
+
+          <Location "/">
+              Require all granted
+          </Location>
+
+          Alias /static /var/www/html/horizon
+          <Location "/static">
+              SetHandler static
+          </Location>
+
+          <IfVersion >= 2.4>
+            ErrorLogFormat "%{cu}t %M"
+          </IfVersion>
+          ErrorLog /dev/stdout
+          TransferLog /dev/stdout
+
+          SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+          CustomLog /dev/stdout combined env=!forwarded
+          CustomLog /dev/stdout proxy env=forwarded
+      </Virtualhost>
+    security: |
+      #
+      # Disable access to the entire file system except for the directories that
+      # are explicitly allowed later.
+      #
+      # This currently breaks the configurations that come with some web application
+      # Debian packages.
+      #
+      #<Directory />
+      #   AllowOverride None
+      #   Require all denied
+      #</Directory>
+
+      # Changing the following options will not really affect the security of the
+      # server, but might make attacks slightly more difficult in some cases.
+
+      #
+      # ServerTokens
+      # This directive configures what you return as the Server HTTP response
+      # Header. The default is 'Full' which sends information about the OS-Type
+      # and compiled in modules.
+      # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+      # where Full conveys the most information, and Prod the least.
+      ServerTokens Prod
+
+      #
+      # Optionally add a line containing the server version and virtual host
+      # name to server-generated pages (internal error documents, FTP directory
+      # listings, mod_status and mod_info output etc., but not CGI generated
+      # documents or custom error documents).
+      # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+      # Set to one of:  On | Off | EMail
+      ServerSignature Off
+
+      #
+      # Allow TRACE method
+      #
+      # Set to "extended" to also reflect the request body (only for testing and
+      # diagnostic purposes).
+      #
+      # Set to one of:  On | Off | extended
+      TraceEnable Off
+
+      #
+      # Forbid access to version control directories
+      #
+      # If you use version control systems in your document root, you should
+      # probably deny access to their directories. For example, for subversion:
+      #
+      #<DirectoryMatch "/\.svn">
+      #   Require all denied
+      #</DirectoryMatch>
+
+      #Security-Settings
+      # Setting this header will prevent MSIE from interpreting files as something
+      # else than declared by the content type in the HTTP headers.
+      # Requires mod_headers to be enabled.
+      #
+      Header set X-Content-Type-Options: "nosniff"
+      Header set X-Permitted-Cross-Domain-Policies: "none"
+      # Setting this header will prevent other sites from embedding pages from this
+      # site as frames. This defends against clickjacking attacks.
+      # Requires mod_headers to be enabled.
+      #
+    local_settings_d: {}
+      ## For example, _50_monasca_ui_settings.py
+      # _50_monasca_ui_settings: |
+      #   from django.conf import settings
+      #   # Grafana button titles/file names (global across all projects):
+      #   GRAFANA_LINKS = []
+      #   DASHBOARDS = getattr(settings, 'GRAFANA_LINKS', GRAFANA_LINKS)
+
+    local_settings:
+      config:
+        # Use "True" and "False" as Titlecase strings with quotes, boolean
+        # values will not work
+        horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
+        debug: "False"
+        use_ssl: "False"
+        endpoint_type: "internalURL"
+        keystone_multidomain_support: "True"
+        keystone_default_domain: Default
+        disable_password_reveal: "True"
+        show_openrc_file: "True"
+        csrf_cookie_secure: "False"
+        csrf_cookie_httponly: "False"
+        enforce_password_check: "True"
+        # Set enable_pwd_validator to true to enforce password validator settings.
+        enable_pwd_validator: false
+        pwd_validator_regex: '(?=.*[a-zA-Z])(?=.*\d).{8,}|(?=.*\d)(?=.*\W).{8,}|(?=.*\W)(?=.*[a-zA-Z]).{8,}'
+        pwd_validator_help_text: '_("Your password must be at least eight (8) characters in length and must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.")'
+        session_cookie_secure: "False"
+        session_cookie_httponly: "False"
+        secure_proxy_ssl_header: false
+        password_autocomplete: "False"
+        disallow_iframe_embed: "False"
+        allowed_hosts:
+          - '*'
+        horizon_images_upload_mode: 'legacy'
+        openstack_cinder_features:
+          enable_backup: "True"
+        openstack_neutron_network:
+          enable_router: "True"
+          enable_quotas: "True"
+          enable_ipv6: "True"
+          enable_distributed_router: "False"
+          enable_ha_router: "False"
+          enable_lb: "True"
+          enable_firewall: "True"
+          enable_vpn: "True"
+          enable_fip_topology_check: "True"
+        openstack_enable_password_retrieve: "False"
+        auth:
+          sso:
+            enabled: False
+            initial_choice: "credentials"
+          idp_mapping:
+            - name: "acme_oidc"
+              label: "Acme Corporation - OpenID Connect"
+              idp: "myidp1"
+              protocol: "oidc"
+            - name: "acme_saml2"
+              label: "Acme Corporation - SAML2"
+              idp: "myidp2"
+              protocol: "saml2"
+        log_level: "DEBUG"
+        # Pass any settings to the end of local_settings.py
+        raw: {}
+        openstack_api_versions:
+          container_infra: "1.19"
+      template: |
+        import os
+
+        from django.utils.translation import ugettext_lazy as _
+
+        from openstack_dashboard import exceptions
+
+        DEBUG = {{ .Values.conf.horizon.local_settings.config.debug }}
+        TEMPLATE_DEBUG = DEBUG
+
+        COMPRESS_OFFLINE = True
+        COMPRESS_CSS_HASHING_METHOD = "hash"
+
+        # WEBROOT is the location relative to Webserver root
+        # should end with a slash.
+        WEBROOT = '/'
+        # LOGIN_URL = WEBROOT + 'auth/login/'
+        # LOGOUT_URL = WEBROOT + 'auth/logout/'
+        #
+        # LOGIN_REDIRECT_URL can be used as an alternative for
+        # HORIZON_CONFIG.user_home, if user_home is not set.
+        # Do not set it to '/home/', as this will cause circular redirect loop
+        # LOGIN_REDIRECT_URL = WEBROOT
+
+        # Required for Django 1.5.
+        # If horizon is running in production (DEBUG is False), set this
+        # with the list of host/domain names that the application can serve.
+        # For more information see:
+        # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
+        ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))]
+
+        # Set SSL proxy settings:
+        # For Django 1.4+ pass this header from the proxy after terminating the SSL,
+        # and don't forget to strip it from the client's request.
+        # For more information see:
+        # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
+        #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+        # https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
+        {{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }}
+        SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+        {{- end }}
+
+        # If Horizon is being served through SSL, then uncomment the following two
+        # settings to better secure the cookies from security exploits
+        USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
+        CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
+        CSRF_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_httponly }}
+        SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
+
+        SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
+
+        # Overrides for OpenStack API versions. Use this setting to force the
+        # OpenStack dashboard to use a specific API version for a given service API.
+        # Versions specified here should be integers or floats, not strings.
+        # NOTE: The version should be formatted as it appears in the URL for the
+        # service API. For example, The identity service APIs have inconsistent
+        # use of the decimal point, so valid options would be 2.0 or 3.
+        #OPENSTACK_API_VERSIONS = {
+        #    "data-processing": 1.1,
+        #    "identity": 3,
+        #    "volume": 2,
+        #}
+
+        OPENSTACK_API_VERSIONS = {
+            "identity": 3,
+            "container-infra": {{ .Values.conf.horizon.local_settings.config.openstack_api_versions.container_infra }}
+        }
+
+        # Set this to True if running on multi-domain model. When this is enabled, it
+        # will require user to enter the Domain name in addition to username for login.
+        OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = {{ .Values.conf.horizon.local_settings.config.keystone_multidomain_support }}
+
+        # Overrides the default domain used when running on single-domain model
+        # with Keystone V3. All entities will be created in the default domain.
+        OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = '{{ .Values.conf.horizon.local_settings.config.keystone_default_domain }}'
+
+        # Set Console type:
+        # valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
+        # Set to None explicitly if you want to deactivate the console.
+        #CONSOLE_TYPE = "AUTO"
+
+        # Default OpenStack Dashboard configuration.
+        HORIZON_CONFIG = {
+            'user_home': 'openstack_dashboard.views.get_user_home',
+            'ajax_queue_limit': 10,
+            'auto_fade_alerts': {
+                'delay': 3000,
+                'fade_duration': 1500,
+                'types': ['alert-success', 'alert-info']
+            },
+            'help_url': "http://docs.openstack.org",
+            'exceptions': {'recoverable': exceptions.RECOVERABLE,
+                           'not_found': exceptions.NOT_FOUND,
+                           'unauthorized': exceptions.UNAUTHORIZED},
+            'modal_backdrop': 'static',
+            'angular_modules': [],
+            'js_files': [],
+            'js_spec_files': [],
+        }
+
+        {{- if .Values.conf.horizon.local_settings.config.enable_pwd_validator }}
+        # Specify a regular expression to validate user passwords.
+        HORIZON_CONFIG["password_validator"] = {
+            "regex": '{{ .Values.conf.horizon.local_settings.config.pwd_validator_regex }}',
+            "help_text": {{ .Values.conf.horizon.local_settings.config.pwd_validator_help_text }},
+        }
+        {{- end }}
+
+        # Disable simplified floating IP address management for deployments with
+        # multiple floating IP pools or complex network requirements.
+        #HORIZON_CONFIG["simple_ip_management"] = False
+
+        # Turn off browser autocompletion for forms including the login form and
+        # the database creation workflow if so desired.
+        HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'
+
+        # Setting this to True will disable the reveal button for password fields,
+        # including on the login form.
+        HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}
+
+        LOCAL_PATH = '/tmp'
+
+        # Set custom secret key:
+        # You can either set it to a specific value or you can let horizon generate a
+        # default secret key that is unique on this machine, e.i. regardless of the
+        # amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
+        # there may be situations where you would want to set this explicitly, e.g.
+        # when multiple dashboard instances are distributed on different machines
+        # (usually behind a load-balancer). Either you have to make sure that a session
+        # gets all requests routed to the same dashboard instance or you set the same
+        # SECRET_KEY for all of them.
+        SECRET_KEY='{{ .Values.conf.horizon.local_settings.config.horizon_secret_key }}'
+
+        CACHES = {
+            'default': {
+                'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+                'LOCATION': '{{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}',
+            }
+        }
+        DATABASES = {
+            'default': {
+                # Database configuration here
+                'ENGINE': 'django.db.backends.mysql',
+                'NAME': '{{ .Values.endpoints.oslo_db.path | base }}',
+                'USER': '{{ .Values.endpoints.oslo_db.auth.horizon.username }}',
+                'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}',
+                'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}',
+                'default-character-set': 'utf8',
+                {{- if .Values.manifests.certificates }}
+                'OPTIONS':{
+                    'ssl': {
+                        'ca': '/etc/mysql/certs/ca.crt',
+                        'cert': '/etc/mysql/certs/tls.crt',
+                        'key': '/etc/mysql/certs/tls.key'
+                    }
+                },
+                {{- end }}
+                'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}'
+            }
+        }
+        SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
+
+        # Send email to the console by default
+        EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+        # Or send them to /dev/null
+        #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
+
+        # Configure these for your outgoing email host
+        #EMAIL_HOST = 'smtp.my-company.com'
+        #EMAIL_PORT = 25\\
+        #EMAIL_HOST_USER = 'djangomail'
+        #EMAIL_HOST_PASSWORD = 'top-secret!'
+
+        # For multiple regions uncomment this configuration, and add (endpoint, title).
+        #AVAILABLE_REGIONS = [
+        #    ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
+        #    ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
+        #]
+
+        OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
+        OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"
+
+        # This setting specifies the name of the header with remote IP address. If not present,
+        # then REMOTE_ADDR header is used. The commom value for this setting is HTTP_X_REAL_IP
+        # or HTTP_X_FORWARDED_FORx
+        SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'
+
+        {{- if .Values.conf.horizon.local_settings.config.auth.sso.enabled }}
+        # Enables keystone web single-sign-on if set to True.
+        WEBSSO_ENABLED = True
+
+        # Determines which authentication choice to show as default.
+        WEBSSO_INITIAL_CHOICE = "{{ .Values.conf.horizon.local_settings.config.auth.sso.initial_choice }}"
+
+        # The list of authentication mechanisms
+        # which include keystone federation protocols.
+        # Current supported protocol IDs are 'saml2' and 'oidc'
+        # which represent SAML 2.0, OpenID Connect respectively.
+        # Do not remove the mandatory credentials mechanism.
+        WEBSSO_CHOICES = (
+            ("credentials", _("Keystone Credentials")),
+          {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
+            ({{ $sso.name | quote }}, {{ $sso.label | quote }}),
+          {{- end }}
+        )
+
+        WEBSSO_IDP_MAPPING = {
+          {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
+            {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
+          {{- end }}
+        }
+
+        {{- end }}
+
+        # Disable SSL certificate checks (useful for self-signed certificates):
+        #OPENSTACK_SSL_NO_VERIFY = True
+
+        {{- if .Values.manifests.certificates }}
+        # The CA certificate to use to verify SSL connections
+        OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
+        {{- end }}
+
+        # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
+        # capabilities of the auth backend for Keystone.
+        # If Keystone has been configured to use LDAP as the auth backend then set
+        # can_edit_user to False and name to 'ldap'.
+        #
+        # TODO(tres): Remove these once Keystone has an API to identify auth backend.
+        OPENSTACK_KEYSTONE_BACKEND = {
+            'name': 'native',
+            'can_edit_user': True,
+            'can_edit_group': True,
+            'can_edit_project': True,
+            'can_edit_domain': True,
+            'can_edit_role': True,
+        }
+
+        # Setting this to True, will add a new "Retrieve Password" action on instance,
+        # allowing Admin session password retrieval/decryption.
+        OPENSTACK_ENABLE_PASSWORD_RETRIEVE = {{ .Values.conf.horizon.local_settings.config.openstack_enable_password_retrieve }}
+        # Controls whether the keystone openrc file is accessible from the user menu and the api access panel.
+        SHOW_OPENRC_FILE = {{ .Values.conf.horizon.local_settings.config.show_openrc_file }}
+        # The Launch Instance user experience has been significantly enhanced.
+        # You can choose whether to enable the new launch instance experience,
+        # the legacy experience, or both. The legacy experience will be removed
+        # in a future release, but is available as a temporary backup setting to ensure
+        # compatibility with existing deployments. Further development will not be
+        # done on the legacy experience. Please report any problems with the new
+        # experience via the StoryBoard tracking system.
+        #
+        # Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
+        # determine the experience to enable.  Set them both to true to enable
+        # both.
+        #LAUNCH_INSTANCE_LEGACY_ENABLED = True
+        #LAUNCH_INSTANCE_NG_ENABLED = False
+
+        # The Xen Hypervisor has the ability to set the mount point for volumes
+        # attached to instances (other Hypervisors currently do not). Setting
+        # can_set_mount_point to True will add the option to set the mount point
+        # from the UI.
+        OPENSTACK_HYPERVISOR_FEATURES = {
+            'can_set_mount_point': False,
+            'can_set_password': False,
+        }
+
+        # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
+        # services provided by cinder that is not exposed by its extension API.
+        OPENSTACK_CINDER_FEATURES = {
+            'enable_backup': {{ .Values.conf.horizon.local_settings.config.openstack_cinder_features.enable_backup }},
+        }
+
+        # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
+        # services provided by neutron. Options currently available are load
+        # balancer service, security groups, quotas, VPN service.
+        OPENSTACK_NEUTRON_NETWORK = {
+            'enable_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_router }},
+            'enable_quotas': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_quotas }},
+            'enable_ipv6': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ipv6 }},
+            'enable_distributed_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_distributed_router }},
+            'enable_ha_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ha_router }},
+            'enable_lb': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_lb }},
+            'enable_firewall': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_firewall }},
+            'enable_vpn': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_vpn }},
+            'enable_fip_topology_check': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_fip_topology_check }},
+
+            # The profile_support option is used to detect if an external router can be
+            # configured via the dashboard. When using specific plugins the
+            # profile_support can be turned on if needed.
+            'profile_support': None,
+            #'profile_support': 'cisco',
+
+            # Set which provider network types are supported. Only the network types
+            # in this list will be available to choose from when creating a network.
+            # Network types include local, flat, vlan, gre, and vxlan.
+            'supported_provider_types': ['*'],
+
+            # Set which VNIC types are supported for port binding. Only the VNIC
+            # types in this list will be available to choose from when creating a
+            # port.
+            # VNIC types include 'normal', 'macvtap' and 'direct'.
+            'supported_vnic_types': ['*']
+        }
+
+        # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
+        # in the OpenStack Dashboard related to the Image service, such as the list
+        # of supported image formats.
+        #OPENSTACK_IMAGE_BACKEND = {
+        #    'image_formats': [
+        #        ('', _('Select format')),
+        #        ('aki', _('AKI - Amazon Kernel Image')),
+        #        ('ami', _('AMI - Amazon Machine Image')),
+        #        ('ari', _('ARI - Amazon Ramdisk Image')),
+        #        ('docker', _('Docker')),
+        #        ('iso', _('ISO - Optical Disk Image')),
+        #        ('ova', _('OVA - Open Virtual Appliance')),
+        #        ('qcow2', _('QCOW2 - QEMU Emulator')),
+        #        ('raw', _('Raw')),
+        #        ('vdi', _('VDI - Virtual Disk Image')),
+        #        ('vhd', ('VHD - Virtual Hard Disk')),
+        #        ('vmdk', _('VMDK - Virtual Machine Disk')),
+        #    ]
+        #}
+
+        # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
+        # image custom property attributes that appear on image detail pages.
+        IMAGE_CUSTOM_PROPERTY_TITLES = {
+            "architecture": _("Architecture"),
+            "kernel_id": _("Kernel ID"),
+            "ramdisk_id": _("Ramdisk ID"),
+            "image_state": _("Euca2ools state"),
+            "project_id": _("Project ID"),
+            "image_type": _("Image Type"),
+        }
+
+        # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
+        # custom properties should not be displayed in the Image Custom Properties
+        # table.
+        IMAGE_RESERVED_CUSTOM_PROPERTIES = []
+
+        # Set to 'legacy' or 'direct' to allow users to upload images to glance via
+        # Horizon server. When enabled, a file form field will appear on the create
+        # image form. If set to 'off', there will be no file form field on the create
+        # image form. See documentation for deployment considerations.
+        HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}'
+
+        # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
+        # in the Keystone service catalog. Use this setting when Horizon is running
+        # external to the OpenStack environment. The default is 'publicURL'.
+        OPENSTACK_ENDPOINT_TYPE = "{{ .Values.conf.horizon.local_settings.config.endpoint_type }}"
+
+        # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
+        # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
+        # in the Keystone service catalog. Use this setting when Horizon is running
+        # external to the OpenStack environment. The default is None.  This
+        # value should differ from OPENSTACK_ENDPOINT_TYPE if used.
+        SECONDARY_ENDPOINT_TYPE = "publicURL"
+
+        # The number of objects (Swift containers/objects or images) to display
+        # on a single page before providing a paging element (a "more" link)
+        # to paginate results.
+        API_RESULT_LIMIT = 1000
+        API_RESULT_PAGE_SIZE = 20
+
+        # The size of chunk in bytes for downloading objects from Swift
+        SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
+
+        # Specify a maximum number of items to display in a dropdown.
+        DROPDOWN_MAX_ITEMS = 30
+
+        # The timezone of the server. This should correspond with the timezone
+        # of your entire OpenStack installation, and hopefully be in UTC.
+        TIME_ZONE = "UTC"
+
+        # When launching an instance, the menu of available flavors is
+        # sorted by RAM usage, ascending. If you would like a different sort order,
+        # you can provide another flavor attribute as sorting key. Alternatively, you
+        # can provide a custom callback method to use for sorting. You can also provide
+        # a flag for reverse sort. For more info, see
+        # http://docs.python.org/2/library/functions.html#sorted
+        #CREATE_INSTANCE_FLAVOR_SORT = {
+        #    'key': 'name',
+        #     # or
+        #    'key': my_awesome_callback_method,
+        #    'reverse': False,
+        #}
+
+        # Set this to True to display an 'Admin Password' field on the Change Password
+        # form to verify that it is indeed the admin logged-in who wants to change
+        # the password.
+        ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }}
+
+        # Modules that provide /auth routes that can be used to handle different types
+        # of user authentication. Add auth plugins that require extra route handling to
+        # this list.
+        #AUTHENTICATION_URLS = [
+        #    'openstack_auth.urls',
+        #]
+
+        # The Horizon Policy Enforcement engine uses these values to load per service
+        # policy rule files. The content of these files should match the files the
+        # OpenStack services are using to determine role based access control in the
+        # target installation.
+
+        # Path to directory containing policy.yaml files
+        POLICY_FILES_PATH = '/etc/openstack-dashboard'
+        # Map of local copy of service policy files
+        #POLICY_FILES = {
+        #    'identity': 'keystone_policy.yaml',
+        #    'compute': 'nova_policy.yaml',
+        #    'volume': 'cinder_policy.yaml',
+        #    'image': 'glance_policy.yaml',
+        #    'orchestration': 'heat_policy.yaml',
+        #    'network': 'neutron_policy.yaml',
+        #    'telemetry': 'ceilometer_policy.yaml',
+        #}
+
+        # Trove user and database extension support. By default support for
+        # creating users and databases on database instances is turned on.
+        # To disable these extensions set the permission here to something
+        # unusable such as ["!"].
+        # TROVE_ADD_USER_PERMS = []
+        # TROVE_ADD_DATABASE_PERMS = []
+
+        # Change this patch to the appropriate static directory containing
+        # two files: _variables.scss and _styles.scss
+        #CUSTOM_THEME_PATH = 'static/themes/default'
+
+        LOGGING = {
+            'version': 1,
+            # When set to True this will disable all logging except
+            # for loggers specified in this configuration dictionary. Note that
+            # if nothing is specified here and disable_existing_loggers is True,
+            # django.db.backends will still log unless it is disabled explicitly.
+            'disable_existing_loggers': False,
+            'handlers': {
+                'null': {
+                    'level': 'DEBUG',
+                    'class': 'logging.NullHandler',
+                },
+                'console': {
+                    # Set the level to "DEBUG" for verbose output logging.
+                    'level': 'INFO',
+                    'class': 'logging.StreamHandler',
+                },
+            },
+            'loggers': {
+                # Logging from django.db.backends is VERY verbose, send to null
+                # by default.
+                'django.db.backends': {
+                    'handlers': ['null'],
+                    'propagate': False,
+                },
+                'requests': {
+                    'handlers': ['null'],
+                    'propagate': False,
+                },
+                'horizon': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'openstack_dashboard': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'novaclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'cinderclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'glanceclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'glanceclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'neutronclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'heatclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'ceilometerclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'troveclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'swiftclient': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'openstack_auth': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'nose.plugins.manager': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'django': {
+                    'handlers': ['console'],
+                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+                    'propagate': False,
+                },
+                'iso8601': {
+                    'handlers': ['null'],
+                    'propagate': False,
+                },
+                'scss': {
+                    'handlers': ['null'],
+                    'propagate': False,
+                },
+            }
+        }
+
+        # 'direction' should not be specified for all_tcp/udp/icmp.
+        # It is specified in the form.
+        SECURITY_GROUP_RULES = {
+            'all_tcp': {
+                'name': _('All TCP'),
+                'ip_protocol': 'tcp',
+                'from_port': '1',
+                'to_port': '65535',
+            },
+            'all_udp': {
+                'name': _('All UDP'),
+                'ip_protocol': 'udp',
+                'from_port': '1',
+                'to_port': '65535',
+            },
+            'all_icmp': {
+                'name': _('All ICMP'),
+                'ip_protocol': 'icmp',
+                'from_port': '-1',
+                'to_port': '-1',
+            },
+            'ssh': {
+                'name': 'SSH',
+                'ip_protocol': 'tcp',
+                'from_port': '22',
+                'to_port': '22',
+            },
+            'smtp': {
+                'name': 'SMTP',
+                'ip_protocol': 'tcp',
+                'from_port': '25',
+                'to_port': '25',
+            },
+            'dns': {
+                'name': 'DNS',
+                'ip_protocol': 'tcp',
+                'from_port': '53',
+                'to_port': '53',
+            },
+            'http': {
+                'name': 'HTTP',
+                'ip_protocol': 'tcp',
+                'from_port': '80',
+                'to_port': '80',
+            },
+            'pop3': {
+                'name': 'POP3',
+                'ip_protocol': 'tcp',
+                'from_port': '110',
+                'to_port': '110',
+            },
+            'imap': {
+                'name': 'IMAP',
+                'ip_protocol': 'tcp',
+                'from_port': '143',
+                'to_port': '143',
+            },
+            'ldap': {
+                'name': 'LDAP',
+                'ip_protocol': 'tcp',
+                'from_port': '389',
+                'to_port': '389',
+            },
+            'https': {
+                'name': 'HTTPS',
+                'ip_protocol': 'tcp',
+                'from_port': '443',
+                'to_port': '443',
+            },
+            'smtps': {
+                'name': 'SMTPS',
+                'ip_protocol': 'tcp',
+                'from_port': '465',
+                'to_port': '465',
+            },
+            'imaps': {
+                'name': 'IMAPS',
+                'ip_protocol': 'tcp',
+                'from_port': '993',
+                'to_port': '993',
+            },
+            'pop3s': {
+                'name': 'POP3S',
+                'ip_protocol': 'tcp',
+                'from_port': '995',
+                'to_port': '995',
+            },
+            'ms_sql': {
+                'name': 'MS SQL',
+                'ip_protocol': 'tcp',
+                'from_port': '1433',
+                'to_port': '1433',
+            },
+            'mysql': {
+                'name': 'MYSQL',
+                'ip_protocol': 'tcp',
+                'from_port': '3306',
+                'to_port': '3306',
+            },
+            'rdp': {
+                'name': 'RDP',
+                'ip_protocol': 'tcp',
+                'from_port': '3389',
+                'to_port': '3389',
+            },
+        }
+
+        # Deprecation Notice:
+        #
+        # The setting FLAVOR_EXTRA_KEYS has been deprecated.
+        # Please load extra spec metadata into the Glance Metadata Definition Catalog.
+        #
+        # The sample quota definitions can be found in:
+        # <glance_source>/etc/metadefs/compute-quota.json
+        #
+        # The metadata definition catalog supports CLI and API:
+        #  $glance --os-image-api-version 2 help md-namespace-import
+        #  $glance-manage db_load_metadefs <directory_with_definition_files>
+        #
+        # See Metadata Definitions on: https://docs.openstack.org/glance/latest/
+
+        # Indicate to the Sahara data processing service whether or not
+        # automatic floating IP allocation is in effect.  If it is not
+        # in effect, the user will be prompted to choose a floating IP
+        # pool for use in their cluster.  False by default.  You would want
+        # to set this to True if you were running Nova Networking with
+        # auto_assign_floating_ip = True.
+        #SAHARA_AUTO_IP_ALLOCATION_ENABLED = False
+
+        # The hash algorithm to use for authentication tokens. This must
+        # match the hash algorithm that the identity server and the
+        # auth_token middleware are using. Allowed values are the
+        # algorithms supported by Python's hashlib library.
+        #OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
+
+        # AngularJS requires some settings to be made available to
+        # the client side. Some settings are required by in-tree / built-in horizon
+        # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
+        # form of ['SETTING_1','SETTING_2'], etc.
+        #
+        # You may remove settings from this list for security purposes, but do so at
+        # the risk of breaking a built-in horizon feature. These settings are required
+        # for horizon to function properly. Only remove them if you know what you
+        # are doing. These settings may in the future be moved to be defined within
+        # the enabled panel configuration.
+        # You should not add settings to this list for out of tree extensions.
+        # See: https://wiki.openstack.org/wiki/Horizon/RESTAPI
+        REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
+                                      'LAUNCH_INSTANCE_DEFAULTS',
+                                      'OPENSTACK_IMAGE_FORMATS']
+
+        # Additional settings can be made available to the client side for
+        # extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS
+        # !! Please use extreme caution as the settings are transferred via HTTP/S
+        # and are not encrypted on the browser. This is an experimental API and
+        # may be deprecated in the future without notice.
+        #REST_API_ADDITIONAL_SETTINGS = []
+
+        # DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+        # within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+        # Scripting (XFS) vulnerability, so this option allows extra security hardening
+        # where iframes are not used in deployment. Default setting is True.
+        # For more information see:
+        # http://tinyurl.com/anticlickjack
+        DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}
+
+        STATIC_ROOT = '/var/www/html/horizon'
+
+        {{- range $option, $value := .Values.conf.horizon.local_settings.config.raw }}
+        {{ $option }} = {{ toJson $value }}
+        {{- end }}
+    policy:
+      ceilometer:
+        context_is_admin: 'role:admin'
+        context_is_owner: 'user_id:%(target.user_id)s'
+        context_is_project: 'project_id:%(target.project_id)s'
+        segregation: 'rule:context_is_admin'
+      heat:
+        'actions:action': 'rule:deny_stack_user'
+        'build_info:build_info': 'rule:deny_stack_user'
+        'cloudformation:CancelUpdateStack': 'rule:deny_stack_user'
+        'cloudformation:CreateStack': 'rule:deny_stack_user'
+        'cloudformation:DeleteStack': 'rule:deny_stack_user'
+        'cloudformation:DescribeStackEvents': 'rule:deny_stack_user'
+        'cloudformation:DescribeStackResource': ''
+        'cloudformation:DescribeStackResources': 'rule:deny_stack_user'
+        'cloudformation:DescribeStacks': 'rule:deny_stack_user'
+        'cloudformation:EstimateTemplateCost': 'rule:deny_stack_user'
+        'cloudformation:GetTemplate': 'rule:deny_stack_user'
+        'cloudformation:ListStackResources': 'rule:deny_stack_user'
+        'cloudformation:ListStacks': 'rule:deny_stack_user'
+        'cloudformation:UpdateStack': 'rule:deny_stack_user'
+        'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
+        'cloudwatch:DeleteAlarms': 'rule:deny_stack_user'
+        'cloudwatch:DescribeAlarmHistory': 'rule:deny_stack_user'
+        'cloudwatch:DescribeAlarms': 'rule:deny_stack_user'
+        'cloudwatch:DescribeAlarmsForMetric': 'rule:deny_stack_user'
+        'cloudwatch:DisableAlarmActions': 'rule:deny_stack_user'
+        'cloudwatch:EnableAlarmActions': 'rule:deny_stack_user'
+        'cloudwatch:GetMetricStatistics': 'rule:deny_stack_user'
+        'cloudwatch:ListMetrics': 'rule:deny_stack_user'
+        'cloudwatch:PutMetricAlarm': 'rule:deny_stack_user'
+        'cloudwatch:PutMetricData': ''
+        'cloudwatch:SetAlarmState': 'rule:deny_stack_user'
+        context_is_admin: 'role:admin'
+        deny_everybody: '!'
+        deny_stack_user: 'not role:heat_stack_user'
+        'events:index': 'rule:deny_stack_user'
+        'events:show': 'rule:deny_stack_user'
+        'resource:index': 'rule:deny_stack_user'
+        'resource:mark_unhealthy': 'rule:deny_stack_user'
+        'resource:metadata': ''
+        'resource:show': 'rule:deny_stack_user'
+        'resource:signal': ''
+        'resource_types:OS::Cinder::EncryptedVolumeType': 'rule:context_is_admin'
+        'resource_types:OS::Cinder::VolumeType': 'rule:context_is_admin'
+        'resource_types:OS::Manila::ShareType': 'rule:context_is_admin'
+        'resource_types:OS::Neutron::QoSBandwidthLimitRule': 'rule:context_is_admin'
+        'resource_types:OS::Neutron::QoSPolicy': 'rule:context_is_admin'
+        'resource_types:OS::Nova::Flavor': 'rule:context_is_admin'
+        'resource_types:OS::Nova::HostAggregate': 'rule:context_is_admin'
+        'service:index': 'rule:context_is_admin'
+        'software_configs:create': 'rule:deny_stack_user'
+        'software_configs:delete': 'rule:deny_stack_user'
+        'software_configs:global_index': 'rule:deny_everybody'
+        'software_configs:index': 'rule:deny_stack_user'
+        'software_configs:show': 'rule:deny_stack_user'
+        'software_deployments:create': 'rule:deny_stack_user'
+        'software_deployments:delete': 'rule:deny_stack_user'
+        'software_deployments:index': 'rule:deny_stack_user'
+        'software_deployments:metadata': ''
+        'software_deployments:show': 'rule:deny_stack_user'
+        'software_deployments:update': 'rule:deny_stack_user'
+        'stacks:abandon': 'rule:deny_stack_user'
+        'stacks:create': 'rule:deny_stack_user'
+        'stacks:delete': 'rule:deny_stack_user'
+        'stacks:delete_snapshot': 'rule:deny_stack_user'
+        'stacks:detail': 'rule:deny_stack_user'
+        'stacks:environment': 'rule:deny_stack_user'
+        'stacks:export': 'rule:deny_stack_user'
+        'stacks:generate_template': 'rule:deny_stack_user'
+        'stacks:global_index': 'rule:deny_everybody'
+        'stacks:index': 'rule:deny_stack_user'
+        'stacks:list_outputs': 'rule:deny_stack_user'
+        'stacks:list_resource_types': 'rule:deny_stack_user'
+        'stacks:list_snapshots': 'rule:deny_stack_user'
+        'stacks:list_template_functions': 'rule:deny_stack_user'
+        'stacks:list_template_versions': 'rule:deny_stack_user'
+        'stacks:lookup': ''
+        'stacks:preview': 'rule:deny_stack_user'
+        'stacks:preview_update': 'rule:deny_stack_user'
+        'stacks:preview_update_patch': 'rule:deny_stack_user'
+        'stacks:resource_schema': 'rule:deny_stack_user'
+        'stacks:restore_snapshot': 'rule:deny_stack_user'
+        'stacks:show': 'rule:deny_stack_user'
+        'stacks:show_output': 'rule:deny_stack_user'
+        'stacks:show_snapshot': 'rule:deny_stack_user'
+        'stacks:snapshot': 'rule:deny_stack_user'
+        'stacks:template': 'rule:deny_stack_user'
+        'stacks:update': 'rule:deny_stack_user'
+        'stacks:update_patch': 'rule:deny_stack_user'
+        'stacks:validate_template': 'rule:deny_stack_user'
+    # list of panels to enable for horizon
+    # this requires that the panels are already installed in the horizon image, if they are not
+    # nothing will be added
+    # the name of the panel should be the name of the dir where the panel is installed
+    # for example heat_dashboard, cloudkittydashboard or neutron_taas_dashboard
+    extra_panels:
+      - heat_dashboard
+      - neutron_taas_dashboard
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - horizon-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    dashboard:
+      jobs:
+        - horizon-db-sync
+      services:
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - horizon-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+    tests:
+      services:
+        - endpoint: internal
+          service: dashboard
+
+pod:
+  security_context:
+    horizon:
+      pod:
+        runAsUser: 42424
+      container:
+        horizon:
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          runAsUser: 0
+    db_sync:
+      pod:
+        runAsUser: 42424
+      container:
+        horizon_db_sync:
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          runAsUser: 0
+    test:
+      pod:
+        runAsUser: 42424
+      container:
+        horizon_test:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  tolerations:
+    horizon:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+  mounts:
+    horizon_db_init:
+      init_container: null
+      horizon_db_init:
+        volumeMounts:
+        volumes:
+    horizon_db_sync:
+      init_container: null
+      horizon_db_sync:
+        volumeMounts:
+        volumes:
+    horizon:
+      init_container: null
+      horizon:
+        volumeMounts:
+        volumes:
+    horizon_tests:
+      init_container: null
+      horizon_tests:
+        volumeMounts:
+        volumes:
+  replicas:
+    server: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      horizon:
+        min_available: 0
+    termination_grace_period:
+      horizon:
+        timeout: 30
+  resources:
+    enabled: false
+    server:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: horizon-keystone-admin
+  oslo_db:
+    admin: horizon-db-admin
+    horizon: horizon-db-user
+  tls:
+    dashboard:
+      dashboard:
+        public: horizon-tls-public
+        internal: horizon-tls-web
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  oslo_cache:
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  dashboard:
+    name: horizon
+    hosts:
+      default: horizon-int
+      public: horizon
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: null
+    scheme:
+      default: http
+    port:
+      web:
+        default: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      horizon:
+        username: horizon
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /horizon
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+network_policy:
+  horizon:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  configmap_logo: false
+  deployment: true
+  ingress_api: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  pdb: true
+  pod_helm_test: true
+  network_policy: false
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  service_ingress: true
+  service: true
+...
diff --git a/charts/keystone/.helmignore b/charts/keystone/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/keystone/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/keystone/Chart.yaml b/charts/keystone/Chart.yaml
new file mode 100644
index 0000000..8d5fadc
--- /dev/null
+++ b/charts/keystone/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Keystone
+home: https://docs.openstack.org/keystone/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: keystone
+sources:
+- https://opendev.org/openstack/keystone
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.19
diff --git a/charts/keystone/charts/helm-toolkit/Chart.yaml b/charts/keystone/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..ffa1cdc
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.36
diff --git a/charts/keystone/charts/helm-toolkit/requirements.yaml b/charts/keystone/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..db12915
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,540 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+local A_FILE="$1"
+local A_DATE=""
+if [[ -z ${BACK_UP_MODE} ]]; then
+  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
+else
+  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
+fi
+echo ${A_DATE}
+}
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -rf $ARCHIVE_FILE
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+  if [[ -f fd ]]; then
+    rm -f fd
+  else
+    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      create_hash_table $(cat $DB_BACKUP_FILES)
+      remove_old_remote_archives
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f 8
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/keystone/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_template.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/values.yaml b/charts/keystone/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/keystone/requirements.lock b/charts/keystone/requirements.lock
new file mode 100644
index 0000000..6d50cc5
--- /dev/null
+++ b/charts/keystone/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.36
+digest: sha256:7815f273587bf686278d58f0c6e9c86c37f220ef3f3c1e83edc478613082fef4
+generated: "2022-03-24T05:04:09.692437746Z"
diff --git a/charts/keystone/requirements.yaml b/charts/keystone/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/keystone/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/keystone/templates/bin/_bootstrap.sh.tpl b/charts/keystone/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..c325824
--- /dev/null
+++ b/charts/keystone/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/keystone/templates/bin/_cred-clean.py.tpl b/charts/keystone/templates/bin/_cred-clean.py.tpl
new file mode 100644
index 0000000..e01c3fc
--- /dev/null
+++ b/charts/keystone/templates/bin/_cred-clean.py.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+#!/usr/bin/python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter(
+    '%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical(
+            'environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical(
+            "Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical(
+        'Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':',
+                               root_password, '@', host, ':', str(port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete all entries from credential table
+
+try:
+    cmd = "DELETE FROM credential"
+    user_engine.execute(cmd)
+    logger.info('Deleted all entries in credential table')
+except:
+    logger.critical('Failed to clean up credential table in keystone db')
+    raise
+
+logger.info('Finished DB Management')
diff --git a/charts/keystone/templates/bin/_db-sync.sh.tpl b/charts/keystone/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..3c26488
--- /dev/null
+++ b/charts/keystone/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
+keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
+    --bootstrap-username ${OS_USERNAME} \
+    --bootstrap-password ${OS_PASSWORD} \
+    --bootstrap-project-name ${OS_PROJECT_NAME} \
+    --bootstrap-admin-url ${OS_BOOTSTRAP_ADMIN_URL} \
+    --bootstrap-public-url ${OS_BOOTSTRAP_PUBLIC_URL} \
+    --bootstrap-internal-url ${OS_BOOTSTRAP_INTERNAL_URL} \
+    --bootstrap-region-id ${OS_REGION_NAME}
+
+exec python /tmp/endpoint-update.py
diff --git a/charts/keystone/templates/bin/_domain-manage-init.sh.tpl b/charts/keystone/templates/bin/_domain-manage-init.sh.tpl
new file mode 100644
index 0000000..8ede300
--- /dev/null
+++ b/charts/keystone/templates/bin/_domain-manage-init.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- range $k, $v := .Values.conf.ks_domains }}
+openstack --debug domain create --or-show {{ $k }}
+{{- end }}
diff --git a/charts/keystone/templates/bin/_domain-manage.py.tpl b/charts/keystone/templates/bin/_domain-manage.py.tpl
new file mode 100644
index 0000000..7e19e2e
--- /dev/null
+++ b/charts/keystone/templates/bin/_domain-manage.py.tpl
@@ -0,0 +1,59 @@
+#!/usr/bin/python
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+import json
+import os
+import requests
+import sys
+
+def main(args):
+    base_url, token, domainId, filename = args[1], args[2], args[3], args[5]
+    url = "%s/domains/%s/config" % (base_url, domainId)
+    print("Connecting to url: %r" % url)
+
+    headers = {
+        'Content-Type': "application/json",
+        'X-Auth-Token': token,
+        'Cache-Control': "no-cache"
+    }
+
+    verify = os.getenv('OS_CACERT', True)
+
+    response = requests.request("GET", url, headers=headers, verify=verify)
+
+    if response.status_code == 404:
+        print("domain config not found - put")
+        action = "PUT"
+    else:
+        print("domain config found - patch")
+        action = "PATCH"
+
+    with open(filename, "rb") as f:
+        data = {"config": json.load(f)}
+
+    response = requests.request(action, url,
+                                data=json.dumps(data),
+                                headers=headers, verify=verify)
+
+    print("Response code on action [%s]: %s" % (action, response.status_code))
+    # Put and Patch can return 200 or 201. If it is not a 2XX code, error out.
+    if (response.status_code // 100) != 2:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 6:
+        sys.exit(1)
+    main(sys.argv)
diff --git a/charts/keystone/templates/bin/_domain-manage.sh.tpl b/charts/keystone/templates/bin/_domain-manage.sh.tpl
new file mode 100644
index 0000000..a697f11
--- /dev/null
+++ b/charts/keystone/templates/bin/_domain-manage.sh.tpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -e
+endpt={{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+path={{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystone/domains" }}
+
+{{- range $k, $v := .Values.conf.ks_domains }}
+
+filename=${path}/keystone.{{ $k }}.json
+python /tmp/domain-manage.py \
+    $endpt \
+    $(openstack token issue -f value -c id) \
+    $(openstack domain show {{ $k }} -f value -c id) \
+    {{ $k }} $filename
+
+{{- end }}
diff --git a/charts/keystone/templates/bin/_endpoint-update.py.tpl b/charts/keystone/templates/bin/_endpoint-update.py.tpl
new file mode 100644
index 0000000..bb4d7b9
--- /dev/null
+++ b/charts/keystone/templates/bin/_endpoint-update.py.tpl
@@ -0,0 +1,113 @@
+#!/usr/bin/env python
+import os
+import logging
+import sys
+
+from sqlalchemy import create_engine
+
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm Keystone Endpoint management')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter(
+    '%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical(
+            'environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical(
+            "Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical(
+        'Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn)
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Set Internal Endpoint
+try:
+    endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
+    cmd = ("update endpoint set url = %s where interface ='internal' and "
+           "service_id = (select id from service where "
+           "service.type = 'identity')")
+    user_engine.execute(cmd, (endpoint_url,))
+except:
+    logger.critical("Could not update internal endpoint")
+    raise
+
+# Set Admin Endpoint
+try:
+    endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
+    cmd = ("update endpoint set url = %s where interface ='admin' "
+           "and service_id = (select id from service where "
+           "service.type = 'identity')")
+    user_engine.execute(cmd, (endpoint_url,))
+except:
+    logger.critical("Could not update admin endpoint")
+    raise
+
+# Set Public Endpoint
+try:
+    endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
+    cmd = ("update endpoint set url = %s where interface ='public' "
+           "and service_id = (select id from service where "
+           "service.type = 'identity')")
+    user_engine.execute(cmd, (endpoint_url,))
+except:
+    logger.critical("Could not update public endpoint")
+    raise
+
+# Print endpoints
+try:
+    endpoints = user_engine.execute(
+        ("select interface, url from endpoint where service_id = "
+         "(select id from service where service.type = 'identity')")
+    ).fetchall()
+    for row in endpoints:
+        logger.info("endpoint ({0}): {1}".format(row[0], row[1]))
+except:
+    logger.critical("Could not update endpoint")
+    raise
+
+logger.info('Finished Endpoint Management')
diff --git a/charts/keystone/templates/bin/_fernet-manage.py.tpl b/charts/keystone/templates/bin/_fernet-manage.py.tpl
new file mode 100644
index 0000000..804d769
--- /dev/null
+++ b/charts/keystone/templates/bin/_fernet-manage.py.tpl
@@ -0,0 +1,186 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+import argparse
+import base64
+import errno
+import grp
+import logging
+import os
+import pwd
+import re
+import six
+import subprocess  #nosec
+import sys
+import time
+
+import requests
+
+FERNET_DIR = os.environ['KEYSTONE_KEYS_REPOSITORY']
+KEYSTONE_USER = os.environ['KEYSTONE_USER']
+KEYSTONE_GROUP = os.environ['KEYSTONE_GROUP']
+NAMESPACE = os.environ['KUBERNETES_NAMESPACE']
+
+# k8s connection data
+KUBE_HOST = None
+KUBE_CERT = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+KUBE_TOKEN = None
+
+LOG_DATEFMT = "%Y-%m-%d %H:%M:%S"
+LOG_FORMAT = "%(asctime)s.%(msecs)03d - %(levelname)s - %(message)s"
+logging.basicConfig(format=LOG_FORMAT, datefmt=LOG_DATEFMT)
+LOG = logging.getLogger(__name__)
+LOG.setLevel(logging.INFO)
+
+
+def read_kube_config():
+    global KUBE_HOST, KUBE_TOKEN
+    KUBE_HOST = "https://%s:%s" % ('kubernetes.default',
+                                   os.environ['KUBERNETES_SERVICE_PORT'])
+    with open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r') as f:
+        KUBE_TOKEN = f.read()
+
+
+def get_secret_definition(name):
+    url = '%s/api/v1/namespaces/%s/secrets/%s' % (KUBE_HOST, NAMESPACE, name)
+    resp = requests.get(url,
+                        headers={'Authorization': 'Bearer %s' % KUBE_TOKEN},
+                        verify=KUBE_CERT)
+    if resp.status_code != 200:
+        LOG.error('Cannot get secret %s.', name)
+        LOG.error(resp.text)
+        return None
+    return resp.json()
+
+
+def update_secret(name, secret):
+    url = '%s/api/v1/namespaces/%s/secrets/%s' % (KUBE_HOST, NAMESPACE, name)
+    resp = requests.put(url,
+                        json=secret,
+                        headers={'Authorization': 'Bearer %s' % KUBE_TOKEN},
+                        verify=KUBE_CERT)
+    if resp.status_code != 200:
+        LOG.error('Cannot update secret %s.', name)
+        LOG.error(resp.text)
+        return False
+    return True
+
+
+def read_from_files():
+    keys = [name for name in os.listdir(FERNET_DIR) if os.path.isfile(FERNET_DIR + name)
+            and re.match("^\d+$", name)]
+    data = {}
+    for key in keys:
+        with open(FERNET_DIR + key, 'r') as f:
+            data[key] = f.read()
+    if len(list(keys)):
+        LOG.debug("Keys read from files: %s", keys)
+    else:
+        LOG.warn("No keys were read from files.")
+    return data
+
+
+def get_keys_data():
+    keys = read_from_files()
+    return dict([(key, base64.b64encode(value.encode()).decode())
+                for (key, value) in six.iteritems(keys)])
+
+
+def write_to_files(data):
+    if not os.path.exists(os.path.dirname(FERNET_DIR)):
+        try:
+            os.makedirs(os.path.dirname(FERNET_DIR))
+        except OSError as exc: # Guard against race condition
+            if exc.errno != errno.EEXIST:
+                raise
+        uid = pwd.getpwnam(KEYSTONE_USER).pw_uid
+        gid = grp.getgrnam(KEYSTONE_GROUP).gr_gid
+        os.chown(FERNET_DIR, uid, gid)
+
+    for (key, value) in six.iteritems(data):
+        with open(FERNET_DIR + key, 'w') as f:
+            decoded_value = base64.b64decode(value).decode()
+            f.write(decoded_value)
+            LOG.debug("Key %s: %s", key, decoded_value)
+    LOG.info("%s keys were written", len(data))
+
+
+def execute_command(cmd):
+    LOG.info("Executing 'keystone-manage %s --keystone-user=%s "
+             "--keystone-group=%s' command.",
+             cmd, KEYSTONE_USER, KEYSTONE_GROUP)
+    subprocess.call(['keystone-manage', cmd,  #nosec
+                     '--keystone-user=%s' % KEYSTONE_USER,
+                     '--keystone-group=%s' % KEYSTONE_GROUP])
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('command', choices=['fernet_setup', 'fernet_rotate',
+                                            'credential_setup',
+                                            'credential_rotate'])
+    args = parser.parse_args()
+
+    is_credential = args.command.startswith('credential')
+
+    SECRET_NAME = ('keystone-credential-keys' if is_credential else
+                   'keystone-fernet-keys')
+
+    read_kube_config()
+    secret = get_secret_definition(SECRET_NAME)
+    if not secret:
+        LOG.error("Secret '%s' does not exist.", SECRET_NAME)
+        sys.exit(1)
+
+    if args.command in ('fernet_rotate', 'credential_rotate'):
+        LOG.info("Copying existing %s keys from secret '%s' to %s.",
+                 'credential' if is_credential else 'fernet', SECRET_NAME,
+                 FERNET_DIR)
+        write_to_files(secret['data'])
+
+    if args.command in ('credential_setup', 'fernet_setup'):
+        if secret.get('data', False):
+            LOG.info('Keys already exist, skipping setup...')
+            sys.exit(0)
+
+    execute_command(args.command)
+
+    LOG.info("Updating data for '%s' secret.", SECRET_NAME)
+    updated_keys = get_keys_data()
+    secret['data'] = updated_keys
+    if not update_secret(SECRET_NAME, secret):
+        sys.exit(1)
+    LOG.info("%s fernet keys have been placed to secret '%s'",
+             len(updated_keys), SECRET_NAME)
+    LOG.debug("Placed keys: %s", updated_keys)
+    LOG.info("%s keys %s has been completed",
+             "Credential" if is_credential else 'Fernet',
+             "rotation" if args.command.endswith('_rotate') else "generation")
+
+    if args.command == 'credential_rotate':
+        # `credential_rotate` needs doing `credential_migrate` as well once all
+        # of the nodes have the new keys. So we'll sleep configurable amount of
+        # time to make sure k8s reloads the secrets in all pods and then
+        # execute `credential_migrate`.
+
+        migrate_wait = int(os.getenv('KEYSTONE_CREDENTIAL_MIGRATE_WAIT', "60"))
+        LOG.info("Waiting %d seconds to execute `credential_migrate`.",
+                 migrate_wait)
+        time.sleep(migrate_wait)
+
+        execute_command('credential_migrate')
+
+if __name__ == "__main__":
+    main()
diff --git a/charts/keystone/templates/bin/_keystone-api.sh.tpl b/charts/keystone/templates/bin/_keystone-api.sh.tpl
new file mode 100644
index 0000000..d735067
--- /dev/null
+++ b/charts/keystone/templates/bin/_keystone-api.sh.tpl
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+COMMAND="${@:-start}"
+
+function start () {
+
+  for KEYSTONE_WSGI_SCRIPT in keystone-wsgi-public; do
+    cp -a $(type -p ${KEYSTONE_WSGI_SCRIPT}) /var/www/cgi-bin/keystone/
+  done
+
+  {{- if .Values.conf.software.apache2.a2enmod }}
+    {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+    {{- end }}
+  {{- end }}
+
+  {{- if .Values.conf.software.apache2.a2dismod }}
+    {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+    {{- end }}
+  {{- end }}
+
+  if [ -f /etc/apache2/envvars ]; then
+     # Loading Apache2 ENV variables
+     source /etc/apache2/envvars
+  fi
+
+  if [ -f /var/run/apache2/apache2.pid ]; then
+     # Remove the stale pid for debian/ubuntu images
+     rm -f /var/run/apache2/apache2.pid
+  fi
+
+  # Start Apache2
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+  if [ -f /etc/apache2/envvars ]; then
+     # Loading Apache2 ENV variables
+     source /etc/apache2/envvars
+  fi
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/keystone/templates/certificates.yaml b/charts/keystone/templates/certificates.yaml
new file mode 100644
index 0000000..f8a73c4
--- /dev/null
+++ b/charts/keystone/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
+{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/keystone/templates/configmap-bin.yaml b/charts/keystone/templates/configmap-bin.yaml
new file mode 100644
index 0000000..45512d3
--- /dev/null
+++ b/charts/keystone/templates/configmap-bin.yaml
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keystone-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  cred-clean.py: |
+{{ tuple "bin/_cred-clean.py.tpl" . | include "helm-toolkit.utils.template" |indent 4}}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  keystone-api.sh: |
+{{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  endpoint-update.py: |
+{{ tuple "bin/_endpoint-update.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  fernet-manage.py: |
+{{ tuple "bin/_fernet-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  domain-manage-init.sh: |
+{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  domain-manage.sh: |
+{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  domain-manage.py: |
+{{ tuple "bin/_domain-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/keystone/templates/configmap-etc.yaml b/charts/keystone/templates/configmap-etc.yaml
new file mode 100644
index 0000000..4b7f046
--- /dev/null
+++ b/charts/keystone/templates/configmap-etc.yaml
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.keystone.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.keystone.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.keystone.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "keystone" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.keystone.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.keystone.cache.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.keystone.cache "memcache_servers" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-etc
+type: Opaque
+data:
+  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+  keystone.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.logging | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+  access_rules.json: {{ toJson .Values.conf.access_rules | b64enc }}
+  ports.conf: ''
+{{- range $k, $v := .Values.conf.ks_domains }}
+  keystone.{{ $k }}.json: {{ toJson $v | b64enc }}
+{{- end }}
+{{- if .Values.conf.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end}}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_keystone "key" "wsgi-keystone.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.sso_callback_template "key" "sso_callback_template.html" "format" "Secret" ) | indent 2 }}
+{{- end }}
diff --git a/charts/keystone/templates/cron-job-credential-rotate.yaml b/charts/keystone/templates/cron-job-credential-rotate.yaml
new file mode 100644
index 0000000..fd26b23
--- /dev/null
+++ b/charts/keystone/templates/cron-job-credential-rotate.yaml
@@ -0,0 +1,132 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_credential_rotate }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_credential_rotate := .Values.pod.mounts.keystone_credential_rotate.keystone_credential_rotate }}
+{{- $mounts_keystone_credential_rotate_init := .Values.pod.mounts.keystone_credential_rotate.init_container }}
+
+{{- $serviceAccountName := "keystone-credential-rotate" }}
+{{ tuple $envAll "credential_rotate" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: keystone-credential-rotate
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.credential_rotate.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.credential_rotate.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.credential_rotate.history.failed }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "keystone" "credential-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "keystone" "credential-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+          initContainers:
+{{ tuple $envAll "credential_rotate" $mounts_keystone_credential_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          containers:
+            - name: keystone-credential-rotate
+{{ tuple $envAll "keystone_credential_rotate" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.credential_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+              env:
+                - name: KEYSTONE_USER
+                  value: {{ .Values.jobs.credential_rotate.user | quote }}
+                - name: KEYSTONE_GROUP
+                  value: {{ .Values.jobs.credential_rotate.group | quote }}
+                - name: KUBERNETES_NAMESPACE
+                  value: {{ .Release.Namespace | quote }}
+                - name: KEYSTONE_KEYS_REPOSITORY
+                  value: {{ .Values.conf.keystone.credential.key_repository | quote }}
+                - name: KEYSTONE_CREDENTIAL_MIGRATE_WAIT
+                  value: {{ .Values.jobs.credential_rotate.migrate_wait | quote }}
+              command:
+                - python
+                - /tmp/fernet-manage.py
+                - credential_rotate
+              volumeMounts:
+                - name: pod-tmp
+                  mountPath: /tmp
+                - name: etckeystone
+                  mountPath: /etc/keystone
+                - name: keystone-etc
+                  mountPath: /etc/keystone/keystone.conf
+                  subPath: keystone.conf
+                  readOnly: true
+                {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+                - name: keystone-etc
+                  mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+                  subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+                  readOnly: true
+                {{- end }}
+                - name: keystone-bin
+                  mountPath: /tmp/fernet-manage.py
+                  subPath: fernet-manage.py
+                  readOnly: true
+{{ if $mounts_keystone_credential_rotate.volumeMounts }}{{ toYaml $mounts_keystone_credential_rotate.volumeMounts | indent 16 }}{{ end }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etckeystone
+              emptyDir: {}
+            - name: keystone-etc
+              secret:
+                secretName: keystone-etc
+                defaultMode: 0444
+            - name: keystone-bin
+              configMap:
+                name: keystone-bin
+                defaultMode: 0555
+{{ if $mounts_keystone_credential_rotate.volumes }}{{ toYaml $mounts_keystone_credential_rotate.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/cron-job-fernet-rotate.yaml b/charts/keystone/templates/cron-job-fernet-rotate.yaml
new file mode 100644
index 0000000..8f4f4f9
--- /dev/null
+++ b/charts/keystone/templates/cron-job-fernet-rotate.yaml
@@ -0,0 +1,134 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_fernet_rotate }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_fernet_rotate := .Values.pod.mounts.keystone_fernet_rotate.keystone_fernet_rotate }}
+{{- $mounts_keystone_fernet_rotate_init := .Values.pod.mounts.keystone_fernet_rotate.init_container }}
+
+{{- $serviceAccountName := "keystone-fernet-rotate" }}
+{{ tuple $envAll "fernet_rotate" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: keystone-fernet-rotate
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.fernet_rotate.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.fernet_rotate.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.fernet_rotate.history.failed }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "fernet_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+          initContainers:
+{{ tuple $envAll "fernet_rotate" $mounts_keystone_fernet_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          containers:
+            - name: keystone-fernet-rotate
+{{ tuple $envAll "keystone_fernet_rotate" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.fernet_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "fernet_rotate" "container" "keystone_fernet_rotate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14}}
+              env:
+                - name: KEYSTONE_USER
+                  value: {{ .Values.jobs.fernet_rotate.user | quote }}
+                - name: KEYSTONE_GROUP
+                  value: {{ .Values.jobs.fernet_rotate.group | quote }}
+                - name: KUBERNETES_NAMESPACE
+                  value: {{ .Release.Namespace | quote }}
+                - name: KEYSTONE_KEYS_REPOSITORY
+                  value: {{ .Values.conf.keystone.fernet_tokens.key_repository | quote }}
+              command:
+                - python
+                - /tmp/fernet-manage.py
+                - fernet_rotate
+              volumeMounts:
+                - name: pod-tmp
+                  mountPath: /tmp
+                - name: etckeystone
+                  mountPath: /etc/keystone
+                - name: keystone-etc
+                  mountPath: /etc/keystone/keystone.conf
+                  subPath: keystone.conf
+                  readOnly: true
+                {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+                - name: keystone-etc
+                  mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+                  subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+                  readOnly: true
+                {{- end }}
+                - name: keystone-bin
+                  mountPath: /tmp/fernet-manage.py
+                  subPath: fernet-manage.py
+                  readOnly: true
+{{ if $mounts_keystone_fernet_rotate.volumeMounts }}{{ toYaml $mounts_keystone_fernet_rotate.volumeMounts | indent 16 }}{{ end }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etckeystone
+              emptyDir: {}
+            - name: keystone-etc
+              secret:
+                secretName: keystone-etc
+                defaultMode: 0444
+            - name: keystone-bin
+              configMap:
+                name: keystone-bin
+                defaultMode: 0555
+{{ if $mounts_keystone_fernet_rotate.volumes }}{{ toYaml $mounts_keystone_fernet_rotate.volumes | indent 12 }}{{ end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/deployment-api.yaml b/charts/keystone/templates/deployment-api.yaml
new file mode 100644
index 0000000..f415493
--- /dev/null
+++ b/charts/keystone/templates/deployment-api.yaml
@@ -0,0 +1,202 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "apiProbeTemplate" }}
+httpGet:
+  scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  path: /v3/
+  port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_api := .Values.pod.mounts.keystone_api.keystone_api }}
+{{- $mounts_keystone_api_init := .Values.pod.mounts.keystone_api.init_container }}
+
+{{- $serviceAccountName := "keystone-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keystone-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-api" "containerNames" (list "keystone-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: keystone-api
+{{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "keystone" "container" "keystone_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/keystone-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/keystone-api.sh
+                  - stop
+          ports:
+            - name: ks-pub
+              containerPort: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{ dict "envAll" $envAll "component" "api" "container" "api" "type" "readiness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
+{{ dict "envAll" $envAll "component" "api" "container" "api" "type" "liveness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etckeystone
+              mountPath: /etc/keystone
+            - name: logs-apache
+              mountPath: /var/log/apache2
+            - name: run-apache
+              mountPath: /var/run/apache2
+            - name: wsgi-keystone
+              mountPath: /var/www/cgi-bin/keystone
+            - name: keystone-etc
+              mountPath: /etc/keystone/keystone.conf
+              subPath: keystone.conf
+              readOnly: true
+            - name: keystone-etc
+              mountPath: /etc/apache2/ports.conf
+              subPath: ports.conf
+              readOnly: true
+            {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+            - name: keystone-etc
+              mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: keystone-etc
+              mountPath: /etc/keystone/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: keystone-etc
+              mountPath: /etc/keystone/access_rules.json
+              subPath: access_rules.json
+              readOnly: true
+            - name: keystone-etc
+              mountPath: /etc/keystone/sso_callback_template.html
+              subPath: sso_callback_template.html
+              readOnly: true
+            - name: keystone-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-keystone.conf
+              subPath: wsgi-keystone.conf
+              readOnly: true
+            - name: keystone-etc
+              mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+              subPath: mpm_event.conf
+              readOnly: true
+{{- if .Values.conf.security }}
+            - name: keystone-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+              subPath: security.conf
+              readOnly: true
+{{- end }}
+            - name: keystone-bin
+              mountPath: /tmp/keystone-api.sh
+              subPath: keystone-api.sh
+              readOnly: true
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+            - name: keystone-ldap-tls
+              mountPath: /etc/keystone/ldap/tls.ca
+              subPath: tls.ca
+              readOnly: true
+{{- end }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+            - name: keystone-fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
+{{- end }}
+            - name: keystone-credential-keys
+              mountPath: {{ .Values.conf.keystone.credential.key_repository }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end  }}
+{{- if and $envAll.Values.manifests.certificates  $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: etckeystone
+          emptyDir: {}
+        - name: wsgi-keystone
+          emptyDir: {}
+        - name: logs-apache
+          emptyDir: {}
+        - name: run-apache
+          emptyDir: {}
+        - name: keystone-etc
+          secret:
+            secretName: keystone-etc
+            defaultMode: 0444
+        - name: keystone-bin
+          configMap:
+            name: keystone-bin
+            defaultMode: 0555
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+        - name: keystone-ldap-tls
+          secret:
+            secretName: keystone-ldap-tls
+{{- end }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+        - name: keystone-fernet-keys
+          secret:
+            secretName: keystone-fernet-keys
+{{- end }}
+        - name: keystone-credential-keys
+          secret:
+            secretName: keystone-credential-keys
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates  $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/ingress-api.yaml b/charts/keystone/templates/ingress-api.yaml
new file mode 100644
index 0000000..7bdcee6
--- /dev/null
+++ b/charts/keystone/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
+{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-bootstrap.yaml b/charts/keystone/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..e908927
--- /dev/null
+++ b/charts/keystone/templates/job-bootstrap.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-credential-cleanup.yaml b/charts/keystone/templates/job-credential-cleanup.yaml
new file mode 100644
index 0000000..854c5b6
--- /dev/null
+++ b/charts/keystone/templates/job-credential-cleanup.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_credential_cleanup }}
+{{- $envAll := index . -}}
+
+{{- $serviceName := "keystone" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := "keystone-bin" -}}
+{{- $configMapEtc := "keystone-etc" -}}
+{{- $dbToClean := index . "dbToClean" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+
+{{ tuple $envAll "credential_cleanup" $serviceName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "keystone-credential-cleanup"
+  labels:
+{{ tuple $envAll "keystone" "credential-cleanup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "credential-cleanup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-credential-cleanup" "containerNames" (list "keystone-credential-cleanup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceName }}
+      restartPolicy: Never
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "credential_cleanup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{ $dbToCleanType := default "oslo" $dbToClean.inputType }}
+        - name: {{ printf "%s-%s" $serviceName "credential-cleanup" | quote }}
+          image: {{ $envAll.Values.images.tags.keystone_credential_cleanup }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToClean.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToCleanType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToClean.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToClean.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToClean.configDbKey | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - python
+            - /tmp/cred-clean.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: cred-clean-sh
+              mountPath: /tmp/cred-clean.py
+              subPath: cred-clean.py
+              readOnly: true
+{{- if eq $dbToCleanType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToClean.configFile | quote }}
+            - name: cred-clean-conf
+              mountPath: {{ $dbToClean.configFile | quote }}
+              subPath: {{ base $dbToClean.configFile | quote }}
+              readOnly: true
+            - name: cred-clean-conf
+              mountPath: {{ $dbToClean.logConfigFile | quote }}
+              subPath: {{ base $dbToClean.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: cred-clean-sh
+          configMap:
+            name: "keystone-bin"
+            defaultMode: 0555
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- $dbToCleanType := default "oslo" $dbToClean.inputType }}
+{{- if and (eq $dbToCleanType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: cred-clean-conf
+          secret:
+            secretName: "keystone-etc"
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/templates/job-credential-setup.yaml b/charts/keystone/templates/job-credential-setup.yaml
new file mode 100644
index 0000000..1d30eb1
--- /dev/null
+++ b/charts/keystone/templates/job-credential-setup.yaml
@@ -0,0 +1,139 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_credential_setup }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_credential_setup := .Values.pod.mounts.keystone_credential_setup.keystone_credential_setup }}
+{{- $mounts_keystone_credential_setup_init := .Values.pod.mounts.keystone_credential_setup.init_container }}
+
+{{- $serviceAccountName := "keystone-credential-setup" }}
+{{ tuple $envAll "credential_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keystone-credential-setup
+  labels:
+{{ tuple $envAll "keystone" "credential-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+{{- if .Values.helm3_hook }}
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "keystone" "credential-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-credential-setup" "containerNames" (list "keystone-credential-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "credential_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      initContainers:
+{{ tuple $envAll "credential_setup" $mounts_keystone_credential_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      containers:
+        - name: keystone-credential-setup
+{{ tuple $envAll "keystone_credential_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.credential_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "credential_setup" "container" "keystone_credential_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: KEYSTONE_USER
+              value: {{ .Values.jobs.credential_setup.user | quote }}
+            - name: KEYSTONE_GROUP
+              value: {{ .Values.jobs.credential_setup.group | quote }}
+            - name: KUBERNETES_NAMESPACE
+              value: {{ .Release.Namespace | quote }}
+            - name: KEYSTONE_KEYS_REPOSITORY
+              value: {{ .Values.conf.keystone.credential.key_repository | quote }}
+          command:
+            - python
+            - /tmp/fernet-manage.py
+            - credential_setup
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etckeystone
+              mountPath: /etc/keystone
+            - name: credential-keys
+              mountPath: {{ .Values.conf.keystone.credential.key_repository | quote }}
+            - name: keystone-etc
+              mountPath: /etc/keystone/keystone.conf
+              subPath: keystone.conf
+              readOnly: true
+            {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+            - name: keystone-etc
+              mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: keystone-bin
+              mountPath: /tmp/fernet-manage.py
+              subPath: fernet-manage.py
+              readOnly: true
+{{ if $mounts_keystone_credential_setup.volumeMounts }}{{ toYaml $mounts_keystone_credential_setup.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: etckeystone
+          emptyDir: {}
+        - name: credential-keys
+          emptyDir: {}
+        - name: keystone-etc
+          secret:
+            secretName: keystone-etc
+            defaultMode: 0444
+        - name: keystone-bin
+          configMap:
+            name: keystone-bin
+            defaultMode: 0555
+{{ if $mounts_keystone_credential_setup.volumes }}{{ toYaml $mounts_keystone_credential_setup.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/job-db-drop.yaml b/charts/keystone/templates/job-db-drop.yaml
new file mode 100644
index 0000000..512b8eb
--- /dev/null
+++ b/charts/keystone/templates/job-db-drop.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-db-init.yaml b/charts/keystone/templates/job-db-init.yaml
new file mode 100644
index 0000000..53e9573
--- /dev/null
+++ b/charts/keystone/templates/job-db-init.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+{{- if .Values.helm3_hook -}}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end -}}
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-db-sync.yaml b/charts/keystone/templates/job-db-sync.yaml
new file mode 100644
index 0000000..c3e7315
--- /dev/null
+++ b/charts/keystone/templates/job-db-sync.yaml
@@ -0,0 +1,83 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+{{- if .Values.helm3_hook -}}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end -}}
+{{- end }}
+
+{{- define "keystone.templates._job_db_sync.env_vars" -}}
+{{- $envAll := index . 0 -}}
+env:
+  - name: OS_BOOTSTRAP_ADMIN_URL
+    value: {{ tuple "identity" "admin" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+  - name: OS_BOOTSTRAP_INTERNAL_URL
+    value: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+  - name: OS_BOOTSTRAP_PUBLIC_URL
+    value: {{ tuple "identity" "public" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+  - name: OPENSTACK_CONFIG_FILE
+    value: "/etc/keystone/keystone.conf"
+  - name: OPENSTACK_CONFIG_DB_SECTION
+    value: "database"
+  - name: OPENSTACK_CONFIG_DB_KEY
+    value: "connection"
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 2}}
+{{- end }}
+{{- end }}
+
+{{- define "keystone.templates._job_db_sync.pod_vol_mounts" -}}
+{{- $envAll := index . 0 -}}
+volumeMounts:
+  - name: db-sync-sh
+    mountPath: /tmp/endpoint-update.py
+    subPath: endpoint-update.py
+    readOnly: true
+  - name: keystone-fernet-keys
+    mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }}
+    readOnly: true
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
+{{- end }}
+{{- end }}
+
+{{- define "keystone.templates._job_db_sync.pod_vols" -}}
+{{- $envAll := index . 0 -}}
+volumes:
+  - name: keystone-fernet-keys
+    secret:
+      secretName: keystone-fernet-keys
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $local := dict "podVolMounts" false "podVols" false -}}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+{{- $_ := set $local "podVolMounts" ( index ( tuple . | include "keystone.templates._job_db_sync.pod_vol_mounts" | toString | fromYaml ) "volumeMounts" ) }}
+{{- $_ := set $local "podVols" ( index ( tuple . | include "keystone.templates._job_db_sync.pod_vols" | toString | fromYaml ) "volumes" ) }}
+{{- end }}
+{{- $podEnvVars := tuple . | include "keystone.templates._job_db_sync.env_vars" | toString | fromYaml }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "keystone" "podVolMounts" $local.podVolMounts "podVols" $local.podVols "podEnvVars" $podEnvVars.env "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-domain-manage.yaml b/charts/keystone/templates/job-domain-manage.yaml
new file mode 100644
index 0000000..5a1c8e2
--- /dev/null
+++ b/charts/keystone/templates/job-domain-manage.yaml
@@ -0,0 +1,150 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_domain_manage }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_domain_manage := .Values.pod.mounts.keystone_domain_manage.keystone_domain_manage }}
+{{- $mounts_keystone_domain_manage_init := .Values.pod.mounts.keystone_domain_manage.init_container }}
+
+{{- $serviceAccountName := "keystone-domain-manage" }}
+{{ tuple $envAll "domain_manage" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keystone-domain-manage
+  labels:
+{{ tuple $envAll "keystone" "domain-manage" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "keystone" "domain-manage" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-domain-manage" "containerNames" (list "keystone-domain-manage" "keystone-domain-manage-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "domain_manage" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "domain_manage" $mounts_keystone_domain_manage_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+        - name: keystone-domain-manage-init
+{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/domain-manage-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: keystone-bin
+              mountPath: /tmp/domain-manage-init.sh
+              subPath: domain-manage-init.sh
+              readOnly: true
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+      containers:
+        - name: keystone-domain-manage
+{{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/domain-manage.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etckeystonedomains
+              mountPath: {{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystone/domains" }}
+            - name: etckeystone
+              mountPath: /etc/keystone
+            - name: keystone-bin
+              mountPath: /tmp/domain-manage.sh
+              subPath: domain-manage.sh
+              readOnly: true
+            - name: keystone-bin
+              mountPath: /tmp/domain-manage.py
+              subPath: domain-manage.py
+              readOnly: true
+            - name: keystone-etc
+              mountPath: /etc/keystone/keystone.conf
+              subPath: keystone.conf
+              readOnly: true
+            {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+            - name: keystone-etc
+              mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{- range $k, $v := .Values.conf.ks_domains }}
+            - name: keystone-etc
+              mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystone/domains" }}/keystone.{{ $k }}.json
+              subPath: keystone.{{ $k }}.json
+              readOnly: true
+{{- end }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+            - name: keystone-fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
+{{- end }}
+            - name: keystone-credential-keys
+              mountPath: {{ .Values.conf.keystone.credential.key_repository }}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: etckeystone
+          emptyDir: {}
+        - name: etckeystonedomains
+          emptyDir: {}
+        - name: keystone-etc
+          secret:
+            secretName: keystone-etc
+            defaultMode: 0444
+        - name: keystone-bin
+          configMap:
+            name: keystone-bin
+            defaultMode: 0555
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+        - name: keystone-fernet-keys
+          secret:
+            secretName: keystone-fernet-keys
+{{- end }}
+        - name: keystone-credential-keys
+          secret:
+            secretName: keystone-credential-keys
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/job-fernet-setup.yaml b/charts/keystone/templates/job-fernet-setup.yaml
new file mode 100644
index 0000000..786772d
--- /dev/null
+++ b/charts/keystone/templates/job-fernet-setup.yaml
@@ -0,0 +1,140 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_fernet_setup }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_fernet_setup := .Values.pod.mounts.keystone_fernet_setup.keystone_fernet_setup }}
+{{- $mounts_keystone_fernet_setup_init := .Values.pod.mounts.keystone_fernet_setup.init_container }}
+
+{{- $serviceAccountName := "keystone-fernet-setup" }}
+{{ tuple $envAll "fernet_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keystone-fernet-setup
+  labels:
+{{ tuple $envAll "keystone" "fernet-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if .Values.helm3_hook }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "keystone" "fernet-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-fernet-setup" "containerNames" (list "keystone-fernet-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "fernet_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      initContainers:
+{{ tuple $envAll "fernet_setup" $mounts_keystone_fernet_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      containers:
+        - name: keystone-fernet-setup
+{{ tuple $envAll "keystone_fernet_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.fernet_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "fernet_setup" "container" "keystone_fernet_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: KEYSTONE_USER
+              value: {{ .Values.jobs.fernet_setup.user | quote }}
+            - name: KEYSTONE_GROUP
+              value: {{ .Values.jobs.fernet_setup.group | quote }}
+            - name: KUBERNETES_NAMESPACE
+              value: {{ .Release.Namespace | quote }}
+            - name: KEYSTONE_KEYS_REPOSITORY
+              value: {{ .Values.conf.keystone.fernet_tokens.key_repository | quote }}
+          command:
+            - python
+            - /tmp/fernet-manage.py
+            - fernet_setup
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etckeystone
+              mountPath: /etc/keystone
+            - name: fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository | quote }}
+            - name: keystone-etc
+              mountPath: /etc/keystone/keystone.conf
+              subPath: keystone.conf
+              readOnly: true
+            {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+            - name: keystone-etc
+              mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: keystone-bin
+              mountPath: /tmp/fernet-manage.py
+              subPath: fernet-manage.py
+              readOnly: true
+{{ if $mounts_keystone_fernet_setup.volumeMounts }}{{ toYaml $mounts_keystone_fernet_setup.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: etckeystone
+          emptyDir: {}
+        - name: fernet-keys
+          emptyDir: {}
+        - name: keystone-etc
+          secret:
+            secretName: keystone-etc
+            defaultMode: 0444
+        - name: keystone-bin
+          configMap:
+            name: keystone-bin
+            defaultMode: 0555
+{{ if $mounts_keystone_fernet_setup.volumes }}{{ toYaml $mounts_keystone_fernet_setup.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/job-image-repo-sync.yaml b/charts/keystone/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..fd301c3
--- /dev/null
+++ b/charts/keystone/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-rabbit-init.yaml b/charts/keystone/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..2bb258e
--- /dev/null
+++ b/charts/keystone/templates/job-rabbit-init.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/keystone/templates/network_policy.yaml b/charts/keystone/templates/network_policy.yaml
new file mode 100644
index 0000000..91946e8
--- /dev/null
+++ b/charts/keystone/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "keystone" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/keystone/templates/pdb.yaml b/charts/keystone/templates/pdb.yaml
new file mode 100644
index 0000000..975a098
--- /dev/null
+++ b/charts/keystone/templates/pdb.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: keystone-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/keystone/templates/pod-rally-test.yaml b/charts/keystone/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..c3730cc
--- /dev/null
+++ b/charts/keystone/templates/pod-rally-test.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.keystone_tests.keystone_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.keystone_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ print $envAll.Release.Name "-test" }}
+  labels:
+{{ tuple $envAll "keystone" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "keystone-test" "containerNames" (list "init" "keystone-test" "keystone-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+  restartPolicy: Never
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  serviceAccountName: {{ $serviceAccountName }}
+  initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+    - name: keystone-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "keystone_test_ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+      command:
+        - /tmp/ks-user.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: keystone-bin
+          mountPath: /tmp/ks-user.sh
+          subPath: ks-user.sh
+          readOnly: true
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+{{- end }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_SERVICE_NAME
+          value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_ROLE
+          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+  containers:
+    - name: keystone-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "keystone_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6}}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: RALLY_ENV_NAME
+          value: {{.Release.Name}}
+      command:
+        - /tmp/rally-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: keystone-etc
+          mountPath: /etc/rally/rally_tests.yaml
+          subPath: rally_tests.yaml
+          readOnly: true
+        - name: keystone-bin
+          mountPath: /tmp/rally-test.sh
+          subPath: rally-test.sh
+          readOnly: true
+        - name: rally-db
+          mountPath: /var/lib/rally
+        - name: rally-work
+          mountPath: /home/rally/.rally
+{{- if and  .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+{{- end }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: keystone-etc
+      secret:
+        secretName: keystone-etc
+        defaultMode: 0444
+    - name: keystone-bin
+      configMap:
+        name: keystone-bin
+        defaultMode: 0555
+    - name: rally-db
+      emptyDir: {}
+    - name: rally-work
+      emptyDir: {}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- end }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-credential-keys.yaml b/charts/keystone/templates/secret-credential-keys.yaml
new file mode 100644
index 0000000..8a2c5eb
--- /dev/null
+++ b/charts/keystone/templates/secret-credential-keys.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_credential_keys }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-credential-keys
+{{- if .Values.helm3_hook }}
+  annotations:
+    "helm.sh/hook": pre-install
+{{- end }}
+type: Opaque
+data:
+{{- end }}
diff --git a/charts/keystone/templates/secret-db.yaml b/charts/keystone/templates/secret-db.yaml
new file mode 100644
index 0000000..55ff593
--- /dev/null
+++ b/charts/keystone/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "keystone" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-fernet-keys.yaml b/charts/keystone/templates/secret-fernet-keys.yaml
new file mode 100644
index 0000000..8af0973
--- /dev/null
+++ b/charts/keystone/templates/secret-fernet-keys.yaml
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_fernet_keys }}
+{{- $envAll := . }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-fernet-keys
+{{- if .Values.helm3_hook }}
+  annotations:
+    "helm.sh/hook": pre-install
+{{- end }}
+type: Opaque
+data:
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-ingress-tls.yaml b/charts/keystone/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..e261b3c
--- /dev/null
+++ b/charts/keystone/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "identity" ) }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-keystone.yaml b/charts/keystone/templates/secret-keystone.yaml
new file mode 100644
index 0000000..5aa87ab
--- /dev/null
+++ b/charts/keystone/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-ldap-tls.yaml b/charts/keystone/templates/secret-ldap-tls.yaml
new file mode 100644
index 0000000..05ed724
--- /dev/null
+++ b/charts/keystone/templates/secret-ldap-tls.yaml
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secrets.ldap.tls }}
+type: Opaque
+data:
+  tls.ca: {{ .Values.endpoints.ldap.auth.client.tls.ca | default "" | b64enc }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-rabbitmq.yaml b/charts/keystone/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..fb7c704
--- /dev/null
+++ b/charts/keystone/templates/secret-rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "keystone" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/service-api.yaml b/charts/keystone/templates/service-api.yaml
new file mode 100644
index 0000000..5fb0112
--- /dev/null
+++ b/charts/keystone/templates/service-api.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    - name: ks-pub
+      port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      {{ if .Values.network.api.node_port.enabled }}
+      nodePort: {{ .Values.network.api.node_port.port }}
+      {{ end }}
+  selector:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if or (.Values.network.api.node_port.enabled) (.Values.network.admin.node_port.enabled) }}
+  type: NodePort
+  {{ if .Values.network.api.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/service-ingress-api.yaml b/charts/keystone/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..18c8fb2
--- /dev/null
+++ b/charts/keystone/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "identity" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml
new file mode 100644
index 0000000..301ff6f
--- /dev/null
+++ b/charts/keystone/values.yaml
@@ -0,0 +1,1096 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for keystone.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+release_group: null
+
+# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
+# Set to false to upgrade using helm2
+helm3_hook: true
+
+images:
+  tags:
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    keystone_db_sync: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    keystone_fernet_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+    keystone_fernet_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+    keystone_credential_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+    keystone_credential_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+    keystone_credential_cleanup: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    keystone_api: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+    keystone_domain_manage: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+bootstrap:
+  enabled: true
+  ks_user: admin
+  script: |
+    # admin needs the admin role for the default domain
+    openstack role add \
+          --user="${OS_USERNAME}" \
+          --domain="${OS_DEFAULT_DOMAIN}" \
+          "admin"
+
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30500
+  admin:
+    node_port:
+      enabled: false
+      port: 30357
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - keystone-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+    rabbit_init:
+      services:
+        - service: oslo_messaging
+          endpoint: internal
+  static:
+    api:
+      jobs:
+        - keystone-db-sync
+        - keystone-credential-setup
+        - keystone-fernet-setup
+      services:
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: oslo_db
+    bootstrap:
+      jobs:
+        - keystone-domain-manage
+      services:
+        - endpoint: internal
+          service: identity
+    credential_rotate:
+      jobs:
+        - keystone-credential-setup
+    credential_setup: null
+    credential_cleanup:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - keystone-db-init
+        - keystone-credential-setup
+        - keystone-fernet-setup
+      services:
+        - endpoint: internal
+          service: oslo_db
+    domain_manage:
+      services:
+        - endpoint: internal
+          service: identity
+    fernet_rotate:
+      jobs:
+        - keystone-fernet-setup
+    fernet_setup: null
+    tests:
+      services:
+        - endpoint: internal
+          service: identity
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+pod:
+  security_context:
+    keystone:
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    credential_setup:
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_credential_setup:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    fernet_setup:
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_fernet_setup:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    fernet_rotate:
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_fernet_rotate:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    domain_manage:
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_domain_manage_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        keystone_domain_manage:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    test:
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_test_ks_user:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        keystone_test:
+          runAsUser: 65500
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  mounts:
+    keystone_db_init:
+      init_container: null
+      keystone_db_init:
+        volumeMounts:
+        volumes:
+    keystone_db_sync:
+      init_container: null
+      keystone_db_sync:
+        volumeMounts:
+        volumes:
+    keystone_api:
+      init_container: null
+      keystone_api:
+        volumeMounts:
+        volumes:
+    keystone_tests:
+      init_container: null
+      keystone_tests:
+        volumeMounts:
+        volumes:
+    keystone_bootstrap:
+      init_container: null
+      keystone_bootstrap:
+        volumeMounts:
+        volumes:
+    keystone_fernet_setup:
+      init_container: null
+      keystone_fernet_setup:
+        volumeMounts:
+        volumes:
+    keystone_fernet_rotate:
+      init_container: null
+      keystone_fernet_rotate:
+        volumeMounts:
+        volumes:
+    keystone_credential_setup:
+      init_container: null
+      keystone_credential_setup:
+        volumeMounts:
+        volumes:
+    keystone_credential_rotate:
+      init_container: null
+      keystone_credential_rotate:
+        volumeMounts:
+        volumes:
+    keystone_credential_cleanup:
+      init_container: null
+      keystone_credential_cleanup:
+        volumeMounts:
+        volumes:
+    keystone_domain_manage:
+      init_container: null
+      keystone_domain_manage:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      domain_manage:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      fernet_setup:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      fernet_rotate:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      credential_setup:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      credential_rotate:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      credential_cleanup:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+  probes:
+    api:
+      api:
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 15
+            periodSeconds: 60
+            timeoutSeconds: 15
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 50
+            periodSeconds: 60
+            timeoutSeconds: 15
+jobs:
+  fernet_setup:
+    user: keystone
+    group: keystone
+  fernet_rotate:
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
+    # max_active_keys = (token_expiration / rotation_frequency) + 2
+    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # 12 hours
+    cron: "0 */12 * * *"
+    user: keystone
+    group: keystone
+    history:
+      success: 3
+      failed: 1
+  credential_setup:
+    user: keystone
+    group: keystone
+  credential_rotate:
+    # monthly
+    cron: "0 0 1 * *"
+    migrate_wait: 120
+    user: keystone
+    group: keystone
+    history:
+      success: 3
+      failed: 1
+
+network_policy:
+  keystone:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+conf:
+  security: |
+    #
+    # Disable access to the entire file system except for the directories that
+    # are explicitly allowed later.
+    #
+    # This currently breaks the configurations that come with some web application
+    # Debian packages.
+    #
+    #<Directory />
+    #   AllowOverride None
+    #   Require all denied
+    #</Directory>
+
+    # Changing the following options will not really affect the security of the
+    # server, but might make attacks slightly more difficult in some cases.
+
+    #
+    # ServerTokens
+    # This directive configures what you return as the Server HTTP response
+    # Header. The default is 'Full' which sends information about the OS-Type
+    # and compiled in modules.
+    # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+    # where Full conveys the most information, and Prod the least.
+    ServerTokens Prod
+
+    #
+    # Optionally add a line containing the server version and virtual host
+    # name to server-generated pages (internal error documents, FTP directory
+    # listings, mod_status and mod_info output etc., but not CGI generated
+    # documents or custom error documents).
+    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+    # Set to one of:  On | Off | EMail
+    ServerSignature Off
+
+    #
+    # Allow TRACE method
+    #
+    # Set to "extended" to also reflect the request body (only for testing and
+    # diagnostic purposes).
+    #
+    # Set to one of:  On | Off | extended
+    TraceEnable Off
+
+    #
+    # Forbid access to version control directories
+    #
+    # If you use version control systems in your document root, you should
+    # probably deny access to their directories. For example, for subversion:
+    #
+    #<DirectoryMatch "/\.svn">
+    #   Require all denied
+    #</DirectoryMatch>
+
+    #
+    # Setting this header will prevent MSIE from interpreting files as something
+    # else than declared by the content type in the HTTP headers.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Content-Type-Options: "nosniff"
+
+    #
+    # Setting this header will prevent other sites from embedding pages from this
+    # site as frames. This defends against clickjacking attacks.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Frame-Options: "sameorigin"
+  software:
+    apache2:
+      binary: apache2
+      start_parameters: -DFOREGROUND
+      site_dir: /etc/apache2/sites-enable
+      conf_dir: /etc/apache2/conf-enabled
+      mods_dir: /etc/apache2/mods-available
+      a2enmod: null
+      a2dismod: null
+  keystone:
+    DEFAULT:
+      log_config_append: /etc/keystone/logging.conf
+      max_token_size: 255
+      # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
+      # notification_opt_out: ""
+    token:
+      provider: fernet
+      # 12 hours
+      expiration: 43200
+    identity:
+      domain_specific_drivers_enabled: True
+      domain_config_dir: /etc/keystone/domains
+    fernet_tokens:
+      key_repository: /etc/keystone/fernet-keys/
+    credential:
+      key_repository: /etc/keystone/credential-keys/
+    database:
+      max_retries: -1
+    cache:
+      enabled: true
+      backend: dogpile.cache.memcached
+    oslo_messaging_notifications:
+      driver: messagingv2
+    oslo_messaging_rabbit:
+      rabbit_ha_queues: true
+    oslo_middleware:
+      enable_proxy_headers_parsing: true
+    oslo_policy:
+      policy_file: /etc/keystone/policy.yaml
+    security_compliance:
+      # NOTE(vdrok): The following two options have effect only for SQL backend
+      lockout_failure_attempts: 5
+      lockout_duration: 1800
+  # NOTE(lamt) We can leverage multiple domains with different
+  # configurations as outlined in
+  # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
+  # A sample of the value override can be found in sample file:
+  # tools/overrides/example/keystone_domain_config.yaml
+  # ks_domains:
+  policy: {}
+  access_rules: {}
+  rabbitmq:
+    # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+    policies:
+      - vhost: "keystone"
+        name: "ha_ttl_keystone"
+        definition:
+          # mirror messges to other nodes in rmq cluster
+          ha-mode: "all"
+          ha-sync-mode: "automatic"
+          # 70s
+          message-ttl: 70000
+        priority: 0
+        apply-to: all
+        pattern: '^(?!(amq\.|reply_)).*'
+  rally_tests:
+    run_tempest: false
+    tests:
+      KeystoneBasic.add_and_remove_user_role:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.authenticate_user_and_validate_token:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_add_and_list_user_roles:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_delete_ec2credential:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_list_ec2credentials:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_delete_role:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_delete_service:
+        - args:
+            description: test_description
+            service_type: Rally_test_type
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_get_role:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_list_services:
+        - args:
+            description: test_description
+            service_type: Rally_test_type
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_list_tenants:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_and_list_users:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_delete_user:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_tenant:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_tenant_with_users:
+        - args:
+            users_per_tenant: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_update_and_delete_tenant:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_user:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_user_set_enabled_and_delete:
+        - args:
+            enabled: true
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+        - args:
+            enabled: false
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.create_user_update_password:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      KeystoneBasic.get_entities:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+  mpm_event: |
+    <IfModule mpm_event_module>
+      ServerLimit         1024
+      StartServers        32
+      MinSpareThreads     32
+      MaxSpareThreads     256
+      ThreadsPerChild     25
+      MaxRequestsPerChild 128
+      ThreadLimit         720
+    </IfModule>
+  wsgi_keystone: |
+    {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+    Listen 0.0.0.0:{{ $portInt }}
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
+
+    <VirtualHost *:{{ $portInt }}>
+        WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
+        WSGIProcessGroup keystone-public
+        WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        ErrorLog /dev/stdout
+
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+    </VirtualHost>
+  sso_callback_template: |
+    <!DOCTYPE html>
+    <html xmlns="http://www.w3.org/1999/xhtml">
+      <head>
+        <title>Keystone WebSSO redirect</title>
+      </head>
+      <body>
+         <form id="sso" name="sso" action="$host" method="post">
+           Please wait...
+           <br/>
+           <input type="hidden" name="token" id="token" value="$token"/>
+           <noscript>
+             <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
+                value="If your JavaScript is disabled, please click to continue"/>
+           </noscript>
+         </form>
+         <script type="text/javascript">
+           window.onload = function() {
+             document.forms['sso'].submit();
+           }
+         </script>
+      </body>
+    </html>
+  logging:
+    loggers:
+      keys:
+        - root
+        - keystone
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_keystone:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: keystone
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: keystone-keystone-admin
+    test: keystone-keystone-test
+  oslo_db:
+    admin: keystone-db-admin
+    keystone: keystone-db-user
+  oslo_messaging:
+    admin: keystone-rabbitmq-admin
+    keystone: keystone-rabbitmq-user
+  ldap:
+    tls: keystone-ldap-tls
+  tls:
+    identity:
+      api:
+        public: keystone-tls-public
+        internal: keystone-tls-api
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  identity:
+    namespace: null
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+        default_domain_id: default
+      test:
+        role: admin
+        region_name: RegionOne
+        username: keystone-test
+        password: password
+        project_name: test
+        user_domain_name: default
+        project_domain_name: default
+        default_domain_id: default
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        # NOTE(portdirect): to retain portability across images, and allow
+        # running under a unprivileged user simply, we default to a port > 1000.
+        internal: 5000
+  oslo_db:
+    namespace: null
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      keystone:
+        username: keystone
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /keystone
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_messaging:
+    namespace: null
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
+      keystone:
+        username: keystone
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /keystone
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  oslo_cache:
+    namespace: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  ldap:
+    auth:
+      client:
+        tls:
+          # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
+          # /etc/certs/tls.ca.  To ensure keystone uses LDAPS, the
+          # following key will need to be overrided under section [ldap] or the
+          # correct domain-specific setting, else it will not be enabled:
+          #
+          #   use_tls: true
+          #   tls_req_cert: allow # Valid values: demand, never, allow
+          #   tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
+          ca: null
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  cron_credential_rotate: true
+  cron_fernet_rotate: true
+  deployment_api: true
+  ingress_api: true
+  job_bootstrap: true
+  job_credential_cleanup: true
+  job_credential_setup: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_domain_manage: true
+  job_fernet_setup: true
+  job_image_repo_sync: true
+  job_rabbit_init: true
+  pdb_api: true
+  pod_rally_test: true
+  network_policy: false
+  secret_credential_keys: true
+  secret_db: true
+  secret_fernet_keys: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  service_ingress_api: true
+  service_api: true
+...
diff --git a/charts/libvirt/.helmignore b/charts/libvirt/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/libvirt/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/libvirt/Chart.yaml b/charts/libvirt/Chart.yaml
new file mode 100644
index 0000000..68ea762
--- /dev/null
+++ b/charts/libvirt/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm libvirt
+home: https://libvirt.org
+maintainers:
+- name: OpenStack-Helm Authors
+name: libvirt
+sources:
+- https://libvirt.org/git/?p=libvirt.git;a=summary
+- https://opendev.org/openstack/openstack-helm
+version: 0.1.8
diff --git a/charts/libvirt/charts/helm-toolkit/Chart.yaml b/charts/libvirt/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..a0ccd1d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.34
diff --git a/charts/libvirt/charts/helm-toolkit/requirements.lock b/charts/libvirt/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..da47547
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2022-03-21T18:35:07.074136695Z"
diff --git a/charts/libvirt/charts/helm-toolkit/requirements.yaml b/charts/libvirt/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..3cc07cc
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..91fd5ad
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,166 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..b3348f5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,165 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..0376343
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,133 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..2d130e1
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,126 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..8347b58
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,120 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..80960f4
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,150 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..7ecacce
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,125 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..9dc2859
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,143 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..3dd407e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,155 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..6fed825
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,115 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..cdc9ff5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,471 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A FILETABLE
+create_hash_table() {
+unset FILETABLE
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    ARCHIVE_DATE=$( echo $ARCHIVE_FILE | awk -F/ '{print $NF}' | cut -d'.' -f 4)
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    INDEX=$(seconds_difference $(date --date $ARCHIVE_DATE +"%D"))
+    if [[ -z FILETABLE[${INDEX}] ]]; then
+      FILETABLE[${INDEX}]=${ARCHIVE_FILE}
+    else
+      FILETABLE[${INDEX}]="${FILETABLE[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${FILETABLE[${INDEX}]}"
+ done
+}
+
+remove_old_local_archives() {
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -rf $ARCHIVE_FILE
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days"
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+    if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log_backup_error_exit \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}!"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+  if [[ -f fd ]]; then
+    rm -f fd
+  else
+    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    create_hash_table $(ls -1 $ARCHIVE_DIR/*.gz)
+    remove_old_local_archives
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      create_hash_table $(cat $DB_BACKUP_FILES)
+      remove_old_remote_archives
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f 8
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/libvirt/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_template.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/values.yaml b/charts/libvirt/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/libvirt/requirements.lock b/charts/libvirt/requirements.lock
new file mode 100644
index 0000000..ace5688
--- /dev/null
+++ b/charts/libvirt/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../helm-toolkit
+  version: 0.2.34
+digest: sha256:3e751b6e287477a9313edb791085b4430ca0a7fb983ea4b5245a825dc7e22619
+generated: "2022-03-21T18:35:10.37140708Z"
diff --git a/charts/libvirt/requirements.yaml b/charts/libvirt/requirements.yaml
new file mode 100644
index 0000000..84f0aff
--- /dev/null
+++ b/charts/libvirt/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+  - name: helm-toolkit
+    repository: file://../helm-toolkit
+    version: ">= 0.1.0"
+...
diff --git a/charts/libvirt/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/libvirt/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..8c36d4b
--- /dev/null
+++ b/charts/libvirt/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.admin.keyring << EOF
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+    key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+    key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/libvirt/templates/bin/_ceph-keyring.sh.tpl b/charts/libvirt/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..35f5c11
--- /dev/null
+++ b/charts/libvirt/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cp -fv /etc/ceph/ceph.conf.template /etc/ceph/ceph.conf
+
+KEYRING=/etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring
+{{- if .Values.conf.ceph.cinder.keyring }}
+cat > ${KEYRING} <<EOF
+[client.{{ .Values.conf.ceph.cinder.user }}]
+    key = {{ .Values.conf.ceph.cinder.keyring }}
+EOF
+{{- else }}
+if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
+  #
+  # If user is not client.admin, check if it already exists. If not create
+  # the user. If the cephx user does not exist make sure the caps are set
+  # according to best practices
+  #
+  if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
+    echo "Cephx user client.${CEPH_CINDER_USER} already exist"
+    echo "Update user client.${CEPH_CINDER_USER} caps"
+    ceph auth caps client.${CEPH_CINDER_USER} \
+       mon "profile rbd" \
+       osd "profile rbd"
+    ceph auth get client.${CEPH_CINDER_USER} -o ${KEYRING}
+  else
+    echo "Creating Cephx user client.${CEPH_CINDER_USER}"
+    ceph auth get-or-create client.${CEPH_CINDER_USER} \
+      mon "profile rbd" \
+      osd "profile rbd" \
+      -o ${KEYRING}
+  fi
+  rm -f /etc/ceph/ceph.client.admin.keyring
+fi
+{{- end }}
diff --git a/charts/libvirt/templates/bin/_libvirt.sh.tpl b/charts/libvirt/templates/bin/_libvirt.sh.tpl
new file mode 100644
index 0000000..c419997
--- /dev/null
+++ b/charts/libvirt/templates/bin/_libvirt.sh.tpl
@@ -0,0 +1,177 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+if [ -n "$(cat /proc/*/comm 2>/dev/null | grep -w libvirtd)" ]; then
+  set +x
+  for proc in $(ls /proc/*/comm 2>/dev/null); do
+    if [ "x$(cat $proc 2>/dev/null | grep -w libvirtd)" == "xlibvirtd" ]; then
+      set -x
+      libvirtpid=$(echo $proc | cut -f 3 -d '/')
+      echo "WARNING: libvirtd daemon already running on host" 1>&2
+      echo "$(cat "/proc/${libvirtpid}/status" 2>/dev/null | grep State)" 1>&2
+      kill -9 "$libvirtpid" || true
+      set +x
+    fi
+  done
+  set -x
+fi
+
+rm -f /var/run/libvirtd.pid
+
+if [[ -c /dev/kvm ]]; then
+    chmod 660 /dev/kvm
+    chown root:kvm /dev/kvm
+fi
+
+#Setup Cgroups to use when breaking out of Kubernetes defined groups
+CGROUPS=""
+for CGROUP in cpu rdma hugetlb; do
+  if [ -d /sys/fs/cgroup/${CGROUP} ]; then
+    CGROUPS+="${CGROUP},"
+  fi
+done
+cgcreate -g ${CGROUPS%,}:/osh-libvirt
+
+# We assume that if hugepage count > 0, then hugepages should be exposed to libvirt/qemu
+hp_count="$(cat /proc/meminfo | grep HugePages_Total | tr -cd '[:digit:]')"
+if [ 0"$hp_count" -gt 0 ]; then
+
+  echo "INFO: Detected hugepage count of '$hp_count'. Enabling hugepage settings for libvirt/qemu."
+
+  # Enable KVM hugepages for QEMU
+  if [ -n "$(grep KVM_HUGEPAGES=0 /etc/default/qemu-kvm)" ]; then
+    sed -i 's/.*KVM_HUGEPAGES=0.*/KVM_HUGEPAGES=1/g' /etc/default/qemu-kvm
+  else
+    echo KVM_HUGEPAGES=1 >> /etc/default/qemu-kvm
+  fi
+
+  # Ensure that the hugepage mount location is available/mapped inside the
+  # container. This assumes use of the default ubuntu dev-hugepages.mount
+  # systemd unit which mounts hugepages at this location.
+  if [ ! -d /dev/hugepages ]; then
+    echo "ERROR: Hugepages configured in kernel, but libvirtd container cannot access /dev/hugepages"
+    exit 1
+  fi
+
+  # Kubernetes 1.10.x introduced cgroup changes that caused the container's
+  # hugepage byte limit quota to zero out. This workaround sets that pod limit
+  # back to the total number of hugepage bytes available to the baremetal host.
+  if [ -d /sys/fs/cgroup/hugetlb ]; then
+    limits="$(ls /sys/fs/cgroup/hugetlb/{{ .Values.conf.kubernetes.cgroup }}/hugetlb.*.limit_in_bytes)" || \
+      (echo "ERROR: Failed to locate any hugetable limits. Did you set the correct cgroup in your values used for this chart?"
+       exit 1)
+    for limit in $limits; do
+      target="/sys/fs/cgroup/hugetlb/$(dirname $(awk -F: '($2~/hugetlb/){print $3}' /proc/self/cgroup))/$(basename $limit)"
+      # Ensure the write target for the hugepage limit for the pod exists
+      if [ ! -f "$target" ]; then
+        echo "ERROR: Could not find write target for hugepage limit: $target"
+      fi
+
+      # Write hugetable limit for pod
+      echo "$(cat $limit)" > "$target"
+    done
+  fi
+
+  # Determine OS default hugepage size to use for the hugepage write test
+  default_hp_kb="$(cat /proc/meminfo | grep Hugepagesize | tr -cd '[:digit:]')"
+
+  # Attempt to write to the hugepage mount to ensure it is operational, but only
+  # if we have at least 1 free page.
+  num_free_pages="$(cat /sys/kernel/mm/hugepages/hugepages-${default_hp_kb}kB/free_hugepages | tr -cd '[:digit:]')"
+  echo "INFO: '$num_free_pages' free hugepages of size ${default_hp_kb}kB"
+  if [ 0"$num_free_pages" -gt 0 ]; then
+    (fallocate -o0 -l "$default_hp_kb" /dev/hugepages/foo && rm /dev/hugepages/foo) || \
+      (echo "ERROR: fallocate failed test at /dev/hugepages with size ${default_hp_kb}kB"
+       rm /dev/hugepages/foo
+       exit 1)
+  fi
+fi
+
+if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
+  #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
+  cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
+
+  tmpsecret=$(mktemp --suffix .xml)
+  if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+    tmpsecret2=$(mktemp --suffix .xml)
+  fi
+  function cleanup {
+    rm -f "${tmpsecret}"
+    if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+      rm -f "${tmpsecret2}"
+    fi
+  }
+  trap cleanup EXIT
+
+  # Wait for the libvirtd is up
+  TIMEOUT=60
+  while [[ ! -f /var/run/libvirtd.pid ]]; do
+    if [[ ${TIMEOUT} -gt 0 ]]; then
+      let TIMEOUT-=1
+      sleep 1
+    else
+      echo "ERROR: libvirt did not start in time (pid file missing)"
+      exit 1
+    fi
+  done
+
+  # Even though we see the pid file the socket immediately (this is
+  # needed for virsh)
+  TIMEOUT=10
+  while [[ ! -e /var/run/libvirt/libvirt-sock ]]; do
+    if [[ ${TIMEOUT} -gt 0 ]]; then
+      let TIMEOUT-=1
+      sleep 1
+    else
+      echo "ERROR: libvirt did not start in time (socket missing)"
+      exit 1
+    fi
+  done
+
+  function create_virsh_libvirt_secret {
+    sec_user=$1
+    sec_uuid=$2
+    sec_ceph_keyring=$3
+    cat > ${tmpsecret} <<EOF
+<secret ephemeral='no' private='no'>
+  <uuid>${sec_uuid}</uuid>
+  <usage type='ceph'>
+    <name>client.${sec_user}. secret</name>
+  </usage>
+</secret>
+EOF
+    virsh secret-define --file ${tmpsecret}
+    virsh secret-set-value --secret "${sec_uuid}" --base64 "${sec_ceph_keyring}"
+  }
+
+  if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
+    CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
+  fi
+  create_virsh_libvirt_secret ${CEPH_CINDER_USER} ${LIBVIRT_CEPH_CINDER_SECRET_UUID} ${CEPH_CINDER_KEYRING}
+
+  if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+    EXTERNAL_CEPH_CINDER_KEYRING=$(cat /tmp/external-ceph-client-keyring)
+    create_virsh_libvirt_secret ${EXTERNAL_CEPH_CINDER_USER} ${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID} ${EXTERNAL_CEPH_CINDER_KEYRING}
+  fi
+
+  # rejoin libvirtd
+  wait
+else
+  #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
+  exec cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen
+fi
diff --git a/charts/libvirt/templates/configmap-apparmor.yaml b/charts/libvirt/templates/configmap-apparmor.yaml
new file mode 100644
index 0000000..a13e3c4
--- /dev/null
+++ b/charts/libvirt/templates/configmap-apparmor.yaml
@@ -0,0 +1,15 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- dict "envAll" . "component" "libvirt" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
diff --git a/charts/libvirt/templates/configmap-bin.yaml b/charts/libvirt/templates/configmap-bin.yaml
new file mode 100644
index 0000000..621e981
--- /dev/null
+++ b/charts/libvirt/templates/configmap-bin.yaml
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: libvirt-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+  libvirt.sh: |
+{{ tuple "bin/_libvirt.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.conf.ceph.enabled }}
+  ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/templates/configmap-etc.yaml b/charts/libvirt/templates/configmap-etc.yaml
new file mode 100644
index 0000000..1fc344f
--- /dev/null
+++ b/charts/libvirt/templates/configmap-etc.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "libvirt.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $configMapName }}
+type: Opaque
+data:
+  libvirtd.conf: {{ include "libvirt.utils.to_libvirt_conf" .Values.conf.libvirt | b64enc }}
+  qemu.conf: {{ include "libvirt.utils.to_libvirt_conf" .Values.conf.qemu | b64enc }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "libvirt-etc" . | include "libvirt.configmap.etc" }}
+{{- end }}
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
new file mode 100644
index 0000000..2c0ccda
--- /dev/null
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -0,0 +1,310 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "libvirtReadinessProbeTemplate" }}
+exec:
+  command:
+    - bash
+    - -c
+    - /usr/bin/virsh list
+{{- end }}
+{{- define "libvirtLivenessProbeTemplate" }}
+exec:
+  command:
+    - bash
+    - -c
+    - /usr/bin/virsh list
+{{- end }}
+
+{{- define "libvirt.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- $ssl_enabled := false }}
+{{- if eq $envAll.Values.conf.libvirt.listen_tls "1" }}
+{{- $ssl_enabled = true }}
+{{- end }}
+{{- with $envAll }}
+
+{{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }}
+{{- $mounts_libvirt_init := .Values.pod.mounts.libvirt.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: libvirt
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{- dict "envAll" $envAll "podName" "libvirt-libvirt-default" "containerNames" (list "libvirt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+{{ dict "envAll" $envAll "application" "libvirt" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      nodeSelector:
+        {{ .Values.labels.agent.libvirt.node_selector_key }}: {{ .Values.labels.agent.libvirt.node_selector_value }}
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      dnsPolicy: {{ .Values.pod.dns_policy }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+{{- if .Values.conf.ceph.enabled }}
+        {{- if empty .Values.conf.ceph.cinder.keyring }}
+        - name: ceph-admin-keyring-placement
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: libvirt-bin
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+        {{ end }}
+        - name: ceph-keyring-placement
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: CEPH_CINDER_USER
+              value: "{{ .Values.conf.ceph.cinder.user }}"
+            {{- if .Values.conf.ceph.cinder.keyring }}
+            - name: CEPH_CINDER_KEYRING
+              value: "{{ .Values.conf.ceph.cinder.keyring }}"
+            {{ end }}
+            - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
+              value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
+          command:
+            - /tmp/ceph-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: libvirt-bin
+              mountPath: /tmp/ceph-keyring.sh
+              subPath: ceph-keyring.sh
+              readOnly: true
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf.template
+              subPath: ceph.conf
+              readOnly: true
+{{- end }}
+      containers:
+        - name: libvirt
+{{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.libvirt | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          {{- if .Values.conf.ceph.enabled }}
+          env:
+            - name: CEPH_CINDER_USER
+              value: "{{ .Values.conf.ceph.cinder.user }}"
+            {{- if .Values.conf.ceph.cinder.keyring }}
+            - name: CEPH_CINDER_KEYRING
+              value: "{{ .Values.conf.ceph.cinder.keyring }}"
+            {{ end }}
+            - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
+              value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
+            {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+            - name: EXTERNAL_CEPH_CINDER_USER
+              value: "{{ .Values.conf.ceph.cinder.external_ceph.user }}"
+            - name: LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID
+              value: "{{ .Values.conf.ceph.cinder.external_ceph.secret_uuid }}"
+            {{ end }}
+          {{ end }}
+{{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "readiness" "probeTemplate" (include "libvirtReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "liveness" "probeTemplate" (include "libvirtLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/libvirt.sh
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - bash
+                  - -c
+                  - |-
+                    kill $(cat /var/run/libvirtd.pid)
+          volumeMounts:
+            {{ dict "enabled" $ssl_enabled "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: libvirt-bin
+              mountPath: /tmp/libvirt.sh
+              subPath: libvirt.sh
+              readOnly: true
+            - name: libvirt-etc
+              mountPath: /etc/libvirt/libvirtd.conf
+              subPath: libvirtd.conf
+              readOnly: true
+            - name: libvirt-etc
+              mountPath: /etc/libvirt/qemu.conf
+              subPath: qemu.conf
+              readOnly: true
+            - name: etc-libvirt-qemu
+              mountPath: /etc/libvirt/qemu
+            - mountPath: /lib/modules
+              name: libmodules
+              readOnly: true
+            - name: var-lib-libvirt
+              mountPath: /var/lib/libvirt
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            - name: var-lib-nova
+              mountPath: /var/lib/nova
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            - name: run
+              mountPath: /run
+            - name: dev
+              mountPath: /dev
+            - name: cgroup
+              mountPath: /sys/fs/cgroup
+            - name: logs
+              mountPath: /var/log/libvirt
+            - name: machine-id
+              mountPath: /etc/machine-id
+              readOnly: true
+            {{- if .Values.conf.ceph.enabled }}
+            - name: etcceph
+              mountPath: /etc/ceph
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            {{- if empty .Values.conf.ceph.cinder.keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+            - name: external-ceph-keyring
+              mountPath: /tmp/external-ceph-client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+{{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        - name: pod-tmp
+          emptyDir: {}
+        - name: libvirt-bin
+          configMap:
+            name: libvirt-bin
+            defaultMode: 0555
+        - name: libvirt-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        {{- if .Values.conf.ceph.enabled }}
+        - name: etcceph
+          hostPath:
+            path: /var/lib/openstack-helm/compute/libvirt
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        {{- if empty .Values.conf.ceph.cinder.keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.ceph_client.user_secret_name }}
+        {{ end }}
+        {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+        - name: external-ceph-keyring
+          secret:
+            secretName: {{ .Values.conf.ceph.cinder.external_ceph.user_secret_name }}
+        {{ end }}
+        {{ end }}
+        - name: libmodules
+          hostPath:
+            path: /lib/modules
+        - name: var-lib-libvirt
+          hostPath:
+            path: /var/lib/libvirt
+        - name: var-lib-nova
+          hostPath:
+            path: /var/lib/nova
+        - name: run
+          hostPath:
+            path: /run
+        - name: dev
+          hostPath:
+            path: /dev
+        - name: logs
+          hostPath:
+            path: /var/log/libvirt
+        - name: cgroup
+          hostPath:
+            path: /sys/fs/cgroup
+        - name: machine-id
+          hostPath:
+            path: /etc/machine-id
+        - name: etc-libvirt-qemu
+          hostPath:
+            path: /etc/libvirt/qemu
+{{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
+{{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_libvirt }}
+
+{{- $envAll := . }}
+{{- $daemonset := "libvirt" }}
+{{- $configMapName := "libvirt-etc" }}
+{{- $serviceAccountName := "libvirt" }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "libvirt" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "libvirt.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "libvirt.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+
+{{- end }}
diff --git a/charts/libvirt/templates/job-image-repo-sync.yaml b/charts/libvirt/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..d359d1a
--- /dev/null
+++ b/charts/libvirt/templates/job-image-repo-sync.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "libvirt" -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/libvirt/templates/network-policy.yaml b/charts/libvirt/templates/network-policy.yaml
new file mode 100644
index 0000000..6ed51aa
--- /dev/null
+++ b/charts/libvirt/templates/network-policy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "libvirt" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/libvirt/templates/utils/_to_libvirt_conf.tpl b/charts/libvirt/templates/utils/_to_libvirt_conf.tpl
new file mode 100644
index 0000000..31e0978
--- /dev/null
+++ b/charts/libvirt/templates/utils/_to_libvirt_conf.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Builds a libvirt compatible config file.
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+      cgroup_controllers:
+        - cpu
+        - cpuacct
+usage: |
+  {{ include "libvirt.utils.to_libvirt_conf" .Values.conf.libvirt }}
+return: |
+  cgroup_controllers = [ "cpu", "cpuacct" ]
+  log_level = 3
+*/}}
+
+{{- define "libvirt.utils._to_libvirt_conf.list_to_string" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}, {{ end -}}{{- $v | quote -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
+
+{{- define "libvirt.utils.to_libvirt_conf" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = [ {{ include "libvirt.utils._to_libvirt_conf.list_to_string" $value }} ]
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
new file mode 100644
index 0000000..b6cab8d
--- /dev/null
+++ b/charts/libvirt/values.yaml
@@ -0,0 +1,221 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for libvirt.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+  agent:
+    libvirt:
+      node_selector_key: openstack-compute-node
+      node_selector_value: enabled
+
+images:
+  tags:
+    libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_bionic
+    ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200217'
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/library/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+network:
+  # provide what type of network wiring will be used
+  # possible options: openvswitch, linuxbridge, sriov
+  backend:
+    - openvswitch
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+
+network_policy:
+  libvirt:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+ceph_client:
+  configmap: ceph-etc
+  user_secret_name: pvc-ceph-client-key
+
+conf:
+  ceph:
+    enabled: true
+    admin_keyring: null
+    cinder:
+      user: "cinder"
+      keyring: null
+      secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+      # Cinder Ceph backend that is not configured by the k8s cluter
+      external_ceph:
+        enabled: false
+        user: null
+        secret_uuid: null
+        user_secret_name: null
+  libvirt:
+    listen_tcp: "1"
+    listen_tls: "0"
+    auth_tcp: "none"
+    ca_file: "/etc/pki/CA/cacert.pem"
+    cert_file: "/etc/pki/libvirt/servercert.pem"
+    key_file: "/etc/pki/libvirt/private/serverkey.pem"
+    auth_unix_rw: "none"
+    listen_addr: 127.0.0.1
+    log_level: "3"
+    log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
+  qemu:
+    stdio_handler: "file"
+    user: "nova"
+    group: "kvm"
+  kubernetes:
+    cgroup: "kubepods"
+
+pod:
+  probes:
+    libvirt:
+      libvirt:
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 5
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 15
+            periodSeconds: 60
+            timeoutSeconds: 5
+  security_context:
+    libvirt:
+      pod:
+        runAsUser: 0
+      container:
+        ceph_admin_keyring_placement:
+          readOnlyRootFilesystem: false
+        ceph_keyring_placement:
+          readOnlyRootFilesystem: false
+        libvirt:
+          privileged: true
+          readOnlyRootFilesystem: false
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  dns_policy: "ClusterFirstWithHostNet"
+  mounts:
+    libvirt:
+      init_container: null
+      libvirt:
+  lifecycle:
+    upgrades:
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        libvirt:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+  resources:
+    enabled: false
+    libvirt:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - libvirt-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+    targeted:
+      openvswitch:
+        libvirt:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-ovs-agent
+      linuxbridge:
+        libvirt:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-lb-agent
+      sriov:
+        libvirt:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-sriov-agent
+  static:
+    libvirt:
+      services: null
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+manifests:
+  configmap_bin: true
+  configmap_etc: true
+  daemonset_libvirt: true
+  job_image_repo_sync: true
+  network_policy: false
+
+secrets:
+  tls:
+    server: libvirt-tls-server
+    client: libvirt-tls-client
+...
diff --git a/charts/magnum/Chart.yaml b/charts/magnum/Chart.yaml
new file mode 100644
index 0000000..a834c53
--- /dev/null
+++ b/charts/magnum/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Magnum
+home: https://docs.openstack.org/magnum/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Magnum/OpenStack_Project_Magnum_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: magnum
+sources:
+- https://opendev.org/openstack/magnum
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.8
diff --git a/charts/magnum/charts/helm-toolkit/Chart.yaml b/charts/magnum/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/magnum/charts/helm-toolkit/requirements.yaml b/charts/magnum/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/magnum/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_template.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/values.yaml b/charts/magnum/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/magnum/requirements.lock b/charts/magnum/requirements.lock
new file mode 100644
index 0000000..7769810
--- /dev/null
+++ b/charts/magnum/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:23.269657087Z"
diff --git a/charts/magnum/requirements.yaml b/charts/magnum/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/magnum/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/magnum/templates/bin/_bootstrap.sh.tpl b/charts/magnum/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/magnum/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/magnum/templates/bin/_db-sync.sh.tpl b/charts/magnum/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..4669fb3
--- /dev/null
+++ b/charts/magnum/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+magnum-db-manage upgrade
diff --git a/charts/magnum/templates/bin/_magnum-api.sh.tpl b/charts/magnum/templates/bin/_magnum-api.sh.tpl
new file mode 100644
index 0000000..5786cea
--- /dev/null
+++ b/charts/magnum/templates/bin/_magnum-api.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec magnum-api \
+        --config-file /etc/magnum/magnum.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/magnum/templates/bin/_magnum-conductor-init.sh.tpl b/charts/magnum/templates/bin/_magnum-conductor-init.sh.tpl
new file mode 100644
index 0000000..5b4b414
--- /dev/null
+++ b/charts/magnum/templates/bin/_magnum-conductor-init.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+tee /tmp/pod-shared/magnum.conf <<EOF
+[DEFAULT]
+host = ${POD_NAME}
+EOF
diff --git a/charts/magnum/templates/bin/_magnum-conductor.sh.tpl b/charts/magnum/templates/bin/_magnum-conductor.sh.tpl
new file mode 100644
index 0000000..9374f5e
--- /dev/null
+++ b/charts/magnum/templates/bin/_magnum-conductor.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec magnum-conductor \
+      --config-file /etc/magnum/magnum.conf \
+      --config-file /tmp/pod-shared/magnum.conf
diff --git a/charts/magnum/templates/configmap-bin.yaml b/charts/magnum/templates/configmap-bin.yaml
new file mode 100644
index 0000000..bb526d5
--- /dev/null
+++ b/charts/magnum/templates/configmap-bin.yaml
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: magnum-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  ks-domain-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
+  magnum-api.sh: |
+{{ tuple "bin/_magnum-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  magnum-conductor.sh: |
+{{ tuple "bin/_magnum-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  magnum-conductor-init.sh: |
+{{ tuple "bin/_magnum-conductor-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/magnum/templates/configmap-etc.yaml b/charts/magnum/templates/configmap-etc.yaml
new file mode 100644
index 0000000..466e2ae
--- /dev/null
+++ b/charts/magnum/templates/configmap-etc.yaml
@@ -0,0 +1,97 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "region_name" .Values.endpoints.identity.auth.magnum.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "project_name" .Values.endpoints.identity.auth.magnum.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.magnum.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.magnum.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "username" .Values.endpoints.identity.auth.magnum.username -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "password" .Values.endpoints.identity.auth.magnum.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.magnum.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.database.connection -}}
+{{- $_ := tuple "oslo_db" "internal" "magnum" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.magnum.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "magnum" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.magnum.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.api.port -}}
+{{- $_ := tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.magnum.api "port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.trust.trustee_domain_name -}}
+{{- $_ := set .Values.conf.magnum.trust "trustee_domain_name" .Values.endpoints.identity.auth.magnum_stack_user.domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.trust.trustee_domain_admin_name -}}
+{{- $_ := set .Values.conf.magnum.trust "trustee_domain_admin_name" .Values.endpoints.identity.auth.magnum_stack_user.username -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.trust.trustee_domain_admin_password -}}
+{{- $_ := set .Values.conf.magnum.trust "trustee_domain_admin_password" .Values.endpoints.identity.auth.magnum_stack_user.password -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: magnum-etc
+type: Opaque
+data:
+  magnum.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.magnum | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- end }}
diff --git a/charts/magnum/templates/deployment-api.yaml b/charts/magnum/templates/deployment-api.yaml
new file mode 100644
index 0000000..fbb43d2
--- /dev/null
+++ b/charts/magnum/templates/deployment-api.yaml
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_magnum_api := .Values.pod.mounts.magnum_api.magnum_api }}
+{{- $mounts_magnum_api_init := .Values.pod.mounts.magnum_api.init_container }}
+
+{{- $serviceAccountName := "magnum-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: magnum-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_magnum_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: magnum-api
+{{ tuple $envAll "magnum_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.magnum.uid }}
+          command:
+            - /tmp/magnum-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/magnum-api.sh
+                  - stop
+          ports:
+            - name: m-api
+              containerPort: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: magnum-bin
+              mountPath: /tmp/magnum-api.sh
+              subPath: magnum-api.sh
+              readOnly: true
+            - name: pod-etc-magnum
+              mountPath: /etc/magnum
+            - name: pod-var-cache-magnum
+              mountPath: /var/cache/magnum
+            - name: magnum-etc
+              mountPath: /etc/magnum/magnum.conf
+              subPath: magnum.conf
+              readOnly: true
+            {{- if .Values.conf.magnum.DEFAULT.log_config_append }}
+            - name: magnum-etc
+              mountPath: {{ .Values.conf.magnum.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.magnum.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: magnum-etc
+              mountPath: /etc/magnum/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: magnum-etc
+              mountPath: /etc/magnum/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: magnum-lock-path
+              mountPath: {{ .Values.conf.magnum.oslo_concurrency.lock_path }}
+{{ if $mounts_magnum_api.volumeMounts }}{{ toYaml $mounts_magnum_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-magnum
+          emptyDir: {}
+        - name: pod-var-cache-magnum
+          emptyDir: {}
+        - name: magnum-bin
+          configMap:
+            name: magnum-bin
+            defaultMode: 0555
+        - name: magnum-etc
+          secret:
+            secretName: magnum-etc
+            defaultMode: 0444
+        - name: magnum-lock-path
+          emptyDir: {}
+{{ if $mounts_magnum_api.volumes }}{{ toYaml $mounts_magnum_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/magnum/templates/ingress-api.yaml b/charts/magnum/templates/ingress-api.yaml
new file mode 100644
index 0000000..3bd1e40
--- /dev/null
+++ b/charts/magnum/templates/ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "container-infra" "backendPort" "m-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-bootstrap.yaml b/charts/magnum/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..83ecd2e
--- /dev/null
+++ b/charts/magnum/templates/job-bootstrap.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "magnum" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.magnum.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-db-drop.yaml b/charts/magnum/templates/job-db-drop.yaml
new file mode 100644
index 0000000..3d8c3ad
--- /dev/null
+++ b/charts/magnum/templates/job-db-drop.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "magnum" -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-db-init.yaml b/charts/magnum/templates/job-db-init.yaml
new file mode 100644
index 0000000..130e57c
--- /dev/null
+++ b/charts/magnum/templates/job-db-init.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-db-sync.yaml b/charts/magnum/templates/job-db-sync.yaml
new file mode 100644
index 0000000..2b5baa3
--- /dev/null
+++ b/charts/magnum/templates/job-db-sync.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "magnum" "podVolMounts" .Values.pod.mounts.magnum_db_sync.magnum_db_sync.volumeMounts "podVols" .Values.pod.mounts.magnum_db_sync.magnum_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-image-repo-sync.yaml b/charts/magnum/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..4cb0670
--- /dev/null
+++ b/charts/magnum/templates/job-image-repo-sync.yaml
@@ -0,0 +1,22 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-endpoints.yaml b/charts/magnum/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..179aeaa
--- /dev/null
+++ b/charts/magnum/templates/job-ks-endpoints.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "magnum" "serviceTypes" ( tuple "container-infra" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-service.yaml b/charts/magnum/templates/job-ks-service.yaml
new file mode 100644
index 0000000..5e7944b
--- /dev/null
+++ b/charts/magnum/templates/job-ks-service.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "magnum" "serviceTypes" ( tuple "container-infra" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-user-domain.yaml b/charts/magnum/templates/job-ks-user-domain.yaml
new file mode 100644
index 0000000..4521148
--- /dev/null
+++ b/charts/magnum/templates/job-ks-user-domain.yaml
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_user_domain }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "magnum-ks-user-domain" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: magnum-domain-ks-user
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "magnum" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: magnum-ks-domain-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 10 }}
+          command:
+            - /tmp/ks-domain-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-domain-user.sh
+              subPath: ks-domain-user.sh
+              readOnly: true
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: "magnum"
+            - name: SERVICE_OS_REGION_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_REGION_NAME
+            - name: SERVICE_OS_DOMAIN_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_DOMAIN_NAME
+            - name: SERVICE_OS_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_USERNAME
+            - name: SERVICE_OS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.identity.magnum_stack_user }}
+                  key: OS_PASSWORD
+            - name: SERVICE_OS_ROLE
+              value: {{ .Values.endpoints.identity.auth.magnum_stack_user.role | quote }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+          configMap:
+            name: magnum-bin
+            defaultMode: 0555
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-user.yaml b/charts/magnum/templates/job-ks-user.yaml
new file mode 100644
index 0000000..cf34873
--- /dev/null
+++ b/charts/magnum/templates/job-ks-user.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-rabbit-init.yaml b/charts/magnum/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..399a32e
--- /dev/null
+++ b/charts/magnum/templates/job-rabbit-init.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/magnum/templates/network_policy.yaml b/charts/magnum/templates/network_policy.yaml
new file mode 100644
index 0000000..51076aa
--- /dev/null
+++ b/charts/magnum/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "magnum" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/magnum/templates/pdb-api.yaml b/charts/magnum/templates/pdb-api.yaml
new file mode 100644
index 0000000..db5cf71
--- /dev/null
+++ b/charts/magnum/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: magnum-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-db.yaml b/charts/magnum/templates/secret-db.yaml
new file mode 100644
index 0000000..bb8ef38
--- /dev/null
+++ b/charts/magnum/templates/secret-db.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "magnum" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-keystone.yaml b/charts/magnum/templates/secret-keystone.yaml
new file mode 100644
index 0000000..3bbc5e6
--- /dev/null
+++ b/charts/magnum/templates/secret-keystone.yaml
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "magnum" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $envAll.Values.secrets.identity.magnum_stack_user }}
+type: Opaque
+data:
+  OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+  OS_REGION_NAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.region_name | b64enc }}
+  OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.domain_name | b64enc }}
+  OS_USERNAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.username | b64enc }}
+  OS_PASSWORD: {{ .Values.endpoints.identity.auth.magnum_stack_user.password | b64enc }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-rabbitmq.yaml b/charts/magnum/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..2f267be
--- /dev/null
+++ b/charts/magnum/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "magnum" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-registry.yaml b/charts/magnum/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/magnum/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/magnum/templates/service-api.yaml b/charts/magnum/templates/service-api.yaml
new file mode 100644
index 0000000..7c6a0d0
--- /dev/null
+++ b/charts/magnum/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "container-infra" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: m-api
+      port: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+      nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.api.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/magnum/templates/service-ingress-api.yaml b/charts/magnum/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..5c9513d
--- /dev/null
+++ b/charts/magnum/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "container-infra" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/magnum/templates/statefulset-conductor.yaml b/charts/magnum/templates/statefulset-conductor.yaml
new file mode 100644
index 0000000..44d8b02
--- /dev/null
+++ b/charts/magnum/templates/statefulset-conductor.yaml
@@ -0,0 +1,134 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_conductor }}
+{{- $envAll := . }}
+
+{{- $mounts_magnum_conductor := .Values.pod.mounts.magnum_conductor.magnum_conductor }}
+{{- $mounts_magnum_conductor_init := .Values.pod.mounts.magnum_conductor.init_container }}
+
+{{- $serviceAccountName := "magnum-conductor" }}
+{{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: magnum-conductor
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  serviceName: magnum-conductor
+  podManagementPolicy: "Parallel"
+  replicas: {{ .Values.pod.replicas.conductor }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "conductor" $mounts_magnum_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: magnum-conductor-init
+{{ tuple $envAll "magnum_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.magnum.uid }}
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          command:
+            - /tmp/magnum-conductor-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: magnum-bin
+              mountPath: /tmp/magnum-conductor-init.sh
+              subPath: magnum-conductor-init.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+      containers:
+        - name: magnum-conductor
+{{ tuple $envAll "magnum_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.magnum.uid }}
+          command:
+            - /tmp/magnum-conductor.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: magnum-bin
+              mountPath: /tmp/magnum-conductor.sh
+              subPath: magnum-conductor.sh
+              readOnly: true
+            - name: pod-etc-magnum
+              mountPath: /etc/magnum
+            - name: magnum-etc
+              mountPath: /etc/magnum/magnum.conf
+              subPath: magnum.conf
+              readOnly: true
+            {{- if .Values.conf.magnum.DEFAULT.log_config_append }}
+            - name: magnum-etc
+              mountPath: {{ .Values.conf.magnum.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.magnum.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: magnum-etc
+              mountPath: /etc/magnum/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: magnum-lock-path
+              mountPath: {{ .Values.conf.magnum.oslo_concurrency.lock_path }}
+            - name: magnum-certificate-cache
+              mountPath: {{ .Values.conf.magnum.cluster.temp_cache_dir }}
+{{ if $mounts_magnum_conductor.volumeMounts }}{{ toYaml $mounts_magnum_conductor.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-magnum
+          emptyDir: {}
+        - name: pod-shared
+          emptyDir: {}
+        - name: magnum-bin
+          configMap:
+            name: magnum-bin
+            defaultMode: 0555
+        - name: magnum-etc
+          secret:
+            secretName: magnum-etc
+            defaultMode: 0444
+        - name: magnum-lock-path
+          emptyDir: {}
+        - name: magnum-certificate-cache
+          emptyDir: {}
+{{ if $mounts_magnum_conductor.volumes }}{{ toYaml $mounts_magnum_conductor.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/magnum/values.yaml b/charts/magnum/values.yaml
new file mode 100644
index 0000000..4280f0b
--- /dev/null
+++ b/charts/magnum/values.yaml
@@ -0,0 +1,631 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for magnum.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  conductor:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  tags:
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    magnum_db_sync: docker.io/openstackhelm/magnum:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    magnum_api: docker.io/openstackhelm/magnum:wallaby-ubuntu_focal
+    magnum_conductor: docker.io/openstackhelm/magnum:wallaby-ubuntu_focal
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+conf:
+  paste:
+    pipeline:main:
+      pipeline: cors healthcheck request_id authtoken api_v1
+    app:api_v1:
+      paste.app_factory: magnum.api.app:app_factory
+    filter:authtoken:
+      acl_public_routes: /, /v1
+      paste.filter_factory: magnum.api.middleware.auth_token:AuthTokenMiddleware.factory
+    filter:request_id:
+      paste.filter_factory: oslo_middleware:RequestId.factory
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: magnum
+    filter:healthcheck:
+      paste.filter_factory: oslo_middleware:Healthcheck.factory
+      backends: disable_by_file
+      disable_by_file_path: /etc/magnum/healthcheck_disable
+  policy: {}
+  magnum:
+    DEFAULT:
+      log_config_append: /etc/magnum/logging.conf
+      transport_url: null
+    cluster:
+      temp_cache_dir: /var/lib/magnum/certificate-cache
+    oslo_messaging_notifications:
+      driver: messaging
+    oslo_concurrency:
+      lock_path: /var/lib/magnum/tmp
+    oslo_policy:
+      policy_file: /etc/magnum/policy.yaml
+    certificates:
+      cert_manager_type: barbican
+    database:
+      max_retries: -1
+    trust:
+      trustee_domain_name: null
+    keystone_authtoken:
+      auth_type: password
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+    api:
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      port: null
+      host: 0.0.0.0
+  logging:
+    loggers:
+      keys:
+        - root
+        - magnum
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_magnum:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: magnum
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30511
+
+bootstrap:
+  enabled: false
+  ks_user: magnum
+  script: |
+    openstack token issue
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - magnum-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs:
+        - magnum-db-sync
+        - magnum-ks-user
+        - magnum-domain-ks-user
+        - magnum-ks-endpoints
+        - magnum-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: key_manager
+        - endpoint: internal
+          service: orchestration
+    conductor:
+      jobs:
+        - magnum-db-sync
+        - magnum-ks-user
+        - magnum-domain-ks-user
+        - magnum-ks-endpoints
+        - magnum-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: key_manager
+        - endpoint: internal
+          service: orchestration
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - magnum-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    ks_endpoints:
+      jobs:
+        - magnum-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: magnum-keystone-admin
+    magnum: magnum-keystone-user
+    magnum_stack_user: magnum-keystone-stack-user
+  oslo_db:
+    admin: magnum-db-admin
+    magnum: magnum-db-user
+  oslo_messaging:
+    admin: magnum-rabbitmq-admin
+    magnum: magnum-rabbitmq-user
+  oci_image_registry:
+    magnum: magnum-oci-image-registry
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      magnum:
+        username: magnum
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      magnum:
+        role: admin
+        region_name: RegionOne
+        username: magnum
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      magnum_stack_user:
+        role: admin
+        region_name: RegionOne
+        username: magnum-domain
+        password: password
+        domain_name: magnum
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  container_infra:
+    name: magnum
+    hosts:
+      default: magnum-api
+      public: magnum
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v1
+    scheme:
+      default: http
+    port:
+      api:
+        default: 9511
+        public: 80
+  key_manager:
+    name: barbican
+    hosts:
+      default: barbican-api
+      public: barbican
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v1
+    scheme:
+      default: http
+    port:
+      api:
+        default: 9311
+        public: 80
+  orchestration:
+    name: heat
+    hosts:
+      default: heat-api
+      public: heat
+    host_fqdn_override:
+      default: null
+    path:
+      default: '/v1/%(project_id)s'
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8004
+        public: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+      magnum:
+        username: magnum
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /magnum
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+      magnum:
+        username: magnum
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /magnum
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+
+pod:
+  user:
+    magnum:
+      uid: 42424
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  mounts:
+    magnum_api:
+      init_container: null
+      magnum_api:
+        volumeMounts:
+        volumes:
+    magnum_conductor:
+      init_container: null
+      magnum_conductor:
+        volumeMounts:
+        volumes:
+    magnum_bootstrap:
+      init_container: null
+      magnum_bootstrap:
+        volumeMounts:
+        volumes:
+    magnum_db_sync:
+      magnum_db_sync:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+    conductor: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    conductor:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+
+network_policy:
+  magnum:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+manifests:
+  configmap_bin: true
+  configmap_etc: true
+  deployment_api: true
+  ingress_api: true
+  job_bootstrap: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user_domain: true
+  job_ks_user: true
+  job_rabbit_init: true
+  pdb_api: true
+  network_policy: false
+  secret_db: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  secret_registry: true
+  service_api: true
+  service_ingress_api: true
+  statefulset_conductor: true
+...
diff --git a/charts/memcached/Chart.yaml b/charts/memcached/Chart.yaml
new file mode 100644
index 0000000..3dc1b9e
--- /dev/null
+++ b/charts/memcached/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+appVersion: v1.5.5
+description: OpenStack-Helm Memcached
+home: https://github.com/memcached/memcached
+name: memcached
+version: 0.1.12
diff --git a/charts/memcached/charts/helm-toolkit/Chart.yaml b/charts/memcached/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/memcached/charts/helm-toolkit/requirements.lock b/charts/memcached/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..08fae29
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2023-01-13T19:09:10.042747731Z"
diff --git a/charts/memcached/charts/helm-toolkit/requirements.yaml b/charts/memcached/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/memcached/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_template.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/values.yaml b/charts/memcached/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/memcached/requirements.lock b/charts/memcached/requirements.lock
new file mode 100644
index 0000000..79d0964
--- /dev/null
+++ b/charts/memcached/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../helm-toolkit
+  version: 0.2.50
+digest: sha256:7bb7761d375d7b44849ba551843e572bf8ee2208775d55d4b742e799d0e81799
+generated: "2023-01-13T19:09:24.258595766Z"
diff --git a/charts/memcached/requirements.yaml b/charts/memcached/requirements.yaml
new file mode 100644
index 0000000..84f0aff
--- /dev/null
+++ b/charts/memcached/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+  - name: helm-toolkit
+    repository: file://../helm-toolkit
+    version: ">= 0.1.0"
+...
diff --git a/charts/memcached/templates/bin/_memcached-exporter.sh.tpl b/charts/memcached/templates/bin/_memcached-exporter.sh.tpl
new file mode 100644
index 0000000..d10e6b7
--- /dev/null
+++ b/charts/memcached/templates/bin/_memcached-exporter.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec /bin/memcached_exporter
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/memcached/templates/bin/_memcached.sh.tpl b/charts/memcached/templates/bin/_memcached.sh.tpl
new file mode 100644
index 0000000..c727c28
--- /dev/null
+++ b/charts/memcached/templates/bin/_memcached.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+memcached --version
+exec memcached -v \
+  -p ${MEMCACHED_PORT} \
+  -U 0 \
+{{- if not .Values.conf.memcached.stats_cachedump.enabled }}
+  -X \
+{{- end }}
+  -c ${MEMCACHED_MAX_CONNECTIONS} \
+  -m ${MEMCACHED_MEMORY}
diff --git a/charts/memcached/templates/configmap-apparmor.yaml b/charts/memcached/templates/configmap-apparmor.yaml
new file mode 100644
index 0000000..0a06bf7
--- /dev/null
+++ b/charts/memcached/templates/configmap-apparmor.yaml
@@ -0,0 +1,15 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- dict "envAll" . "component" "memcached" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
diff --git a/charts/memcached/templates/configmap-bin.yaml b/charts/memcached/templates/configmap-bin.yaml
new file mode 100644
index 0000000..f14bd24
--- /dev/null
+++ b/charts/memcached/templates/configmap-bin.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $configMapBinName := printf "%s-%s" $envAll.deployment_name "memcached-bin"  }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $configMapBinName }}
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+  memcached.sh: |
+{{ tuple "bin/_memcached.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  memcached-exporter.sh: |
+{{ tuple "bin/_memcached-exporter.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/memcached/templates/deployment.yaml b/charts/memcached/templates/deployment.yaml
new file mode 100644
index 0000000..b3d12ea
--- /dev/null
+++ b/charts/memcached/templates/deployment.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+
+{{- $rcControllerName := printf "%s-%s" $envAll.deployment_name "memcached" }}
+{{- $configMapBinName := printf "%s-%s" $envAll.deployment_name "memcached-bin" }}
+
+{{ tuple $envAll "memcached" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $rcControllerName | quote }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.server }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      annotations:
+{{ dict "envAll" $envAll "podName" "memcached" "containerNames" (list "init" "memcached") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+      labels:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      shareProcessNamespace: true
+      serviceAccountName: {{ $rcControllerName | quote }}
+      affinity:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value | quote }}
+{{ if $envAll.Values.pod.tolerations.memcached.enabled }}
+{{ tuple $envAll "memcached" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.memcached.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "memcached" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+      containers:
+        - name: memcached
+{{ tuple $envAll "memcached" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "memcached" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: MEMCACHED_PORT
+              value: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: MEMCACHED_MAX_CONNECTIONS
+              value: {{ .Values.conf.memcached.max_connections | quote }}
+            - name: MEMCACHED_MEMORY
+              value: {{ .Values.conf.memcached.memory | quote }}
+          command:
+            - /tmp/memcached.sh
+          ports:
+            - containerPort: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: memcached-bin
+              mountPath: /tmp/memcached.sh
+              subPath: memcached.sh
+              readOnly: true
+{{- if .Values.monitoring.prometheus.enabled }}
+        - name: memcached-exporter
+          image: {{ .Values.images.tags.prometheus_memcached_exporter }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.prometheus_memcached_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "memcached_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/memcached-exporter.sh
+            - start
+          ports:
+            - name: metrics
+              containerPort: {{ tuple "oslo_cache" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "oslo_cache" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: memcached-bin
+              mountPath: /tmp/memcached-exporter.sh
+              subPath: memcached-exporter.sh
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: memcached-bin
+          configMap:
+            name: {{ $configMapBinName | quote }}
+            defaultMode: 0555
+{{ dict "envAll" $envAll "component" "memcached" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
+{{- end }}
diff --git a/charts/memcached/templates/job-image-repo-sync.yaml b/charts/memcached/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..ae519ff
--- /dev/null
+++ b/charts/memcached/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "memcached" -}}
+{{- if .Values.pod.tolerations.memcached.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/memcached/templates/network_policy.yaml b/charts/memcached/templates/network_policy.yaml
new file mode 100644
index 0000000..9beab0d
--- /dev/null
+++ b/charts/memcached/templates/network_policy.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "memcached" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/memcached/templates/secret-registry.yaml b/charts/memcached/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/memcached/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/memcached/templates/service.yaml b/charts/memcached/templates/service.yaml
new file mode 100644
index 0000000..0280d63
--- /dev/null
+++ b/charts/memcached/templates/service.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "oslo_cache" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  sessionAffinity: ClientIP
+  ports:
+    - name: memcache
+      port: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- if .Values.monitoring.prometheus.enabled }}
+    - name: metrics
+      port: {{ tuple "oslo_cache" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+  selector:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/memcached/values.yaml b/charts/memcached/values.yaml
new file mode 100644
index 0000000..b9e6339
--- /dev/null
+++ b/charts/memcached/values.yaml
@@ -0,0 +1,209 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for memcached.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+conf:
+  memcached:
+    max_connections: 8192
+    # NOTE(pordirect): this should match the value in
+    # `pod.resources.memcached.memory`
+    memory: 1024
+    stats_cachedump:
+      enabled: true
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - memcached-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    memcached:
+      jobs: null
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+secrets:
+  oci_image_registry:
+    memcached: memcached-oci-image-registry-key
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      memcached:
+        username: memcached
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  oslo_cache:
+    namespace: null
+    host_fqdn_override:
+      default: null
+    hosts:
+      default: memcached
+    port:
+      memcache:
+        default: 11211
+      metrics:
+        default: 9150
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns_tcp:
+        default: 53
+      dns:
+        default: 53
+        protocol: UDP
+
+network_policy:
+  memcached:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+monitoring:
+  prometheus:
+    enabled: false
+    memcached_exporter:
+      scrape: true
+
+images:
+  pull_policy: IfNotPresent
+  tags:
+    dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
+    memcached: 'docker.io/library/memcached:1.5.5'
+    prometheus_memcached_exporter: docker.io/prom/memcached-exporter:v0.4.1
+    image_repo_sync: docker.io/library/docker:17.07.0
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+labels:
+  server:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+manifests:
+  configmap_bin: true
+  deployment: true
+  job_image_repo_sync: true
+  network_policy: false
+  service: true
+  secret_registry: true
+
+pod:
+  security_context:
+    server:
+      pod:
+        runAsUser: 65534
+      container:
+        memcached:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        memcached_exporter:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+  affinity:
+    anti:
+      topologyKey:
+        default: kubernetes.io/hostname
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      weight:
+        default: 10
+  tolerations:
+    memcached:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+  lifecycle:
+    upgrades:
+      deployments:
+        pod_replacement_strategy: RollingUpdate
+        revision_history: 3
+        rolling_update:
+          max_surge: 3
+          max_unavailable: 1
+    termination_grace_period:
+      memcached:
+        timeout: 30
+  replicas:
+    server: 1
+  resources:
+    enabled: false
+    memcached:
+      limits:
+        cpu: "2000m"
+        memory: "1024Mi"
+      requests:
+        cpu: "500m"
+        memory: "128Mi"
+    prometheus_memcached_exporter:
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+      requests:
+        cpu: 500m
+        memory: 128Mi
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+...
diff --git a/charts/memcached/values_overrides/apparmor.yaml b/charts/memcached/values_overrides/apparmor.yaml
new file mode 100644
index 0000000..1d95222
--- /dev/null
+++ b/charts/memcached/values_overrides/apparmor.yaml
@@ -0,0 +1,15 @@
+---
+pod:
+  mandatory_access_control:
+    type: apparmor
+    prometheus_memcached_exporter:
+      init: runtime/default
+      memcached-exporter: runtime/default
+    memcached:
+      init: runtime/default
+      memcached: runtime/default
+
+monitoring:
+  prometheus:
+    enabled: false
+...
diff --git a/charts/memcached/values_overrides/netpol.yaml b/charts/memcached/values_overrides/netpol.yaml
new file mode 100644
index 0000000..c4d3079
--- /dev/null
+++ b/charts/memcached/values_overrides/netpol.yaml
@@ -0,0 +1,77 @@
+---
+manifests:
+  network_policy: true
+network_policy:
+  memcached:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: ingress
+        - podSelector:
+            matchLabels:
+              application: keystone
+        - podSelector:
+            matchLabels:
+              application: heat
+        - podSelector:
+            matchLabels:
+              application: glance
+        - podSelector:
+            matchLabels:
+              application: cinder
+        - podSelector:
+            matchLabels:
+              application: barbican
+        - podSelector:
+            matchLabels:
+              application: ceilometer
+        - podSelector:
+            matchLabels:
+              application: horizon
+        - podSelector:
+            matchLabels:
+              application: ironic
+        - podSelector:
+            matchLabels:
+              application: magnum
+        - podSelector:
+            matchLabels:
+              application: mistral
+        - podSelector:
+            matchLabels:
+              application: nova
+        - podSelector:
+            matchLabels:
+              application: neutron
+        - podSelector:
+            matchLabels:
+              application: senlin
+        - podSelector:
+            matchLabels:
+              application: placement
+        - podSelector:
+            matchLabels:
+              application: prometheus_memcached_exporter
+        - podSelector:
+            matchLabels:
+              application: aodh
+        - podSelector:
+            matchLabels:
+              application: rally
+        - podSelector:
+            matchLabels:
+              application: memcached
+        ports:
+        - port: 11211
+          protocol: TCP
+        - port: 9150
+          protocol: TCP
+    egress:
+      - to:
+        - ipBlock:
+            cidr: %%%REPLACE_API_ADDR%%%/32
+        ports:
+          - protocol: TCP
+            port: %%%REPLACE_API_PORT%%%
+...
diff --git a/charts/neutron/.helmignore b/charts/neutron/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/neutron/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/neutron/Chart.yaml b/charts/neutron/Chart.yaml
new file mode 100644
index 0000000..4270928
--- /dev/null
+++ b/charts/neutron/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Neutron
+home: https://docs.openstack.org/neutron/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: neutron
+sources:
+- https://opendev.org/openstack/neutron
+- https://opendev.org/openstack/openstack-helm
+version: 0.3.2
diff --git a/charts/neutron/charts/helm-toolkit/Chart.yaml b/charts/neutron/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/neutron/charts/helm-toolkit/requirements.yaml b/charts/neutron/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/neutron/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_template.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/values.yaml b/charts/neutron/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/neutron/requirements.lock b/charts/neutron/requirements.lock
new file mode 100644
index 0000000..46a4863
--- /dev/null
+++ b/charts/neutron/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:11.317665226Z"
diff --git a/charts/neutron/requirements.yaml b/charts/neutron/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/neutron/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/neutron/templates/bin/_bootstrap.sh.tpl b/charts/neutron/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/neutron/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/neutron/templates/bin/_db-sync.sh.tpl b/charts/neutron/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..58edecf
--- /dev/null
+++ b/charts/neutron/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+neutron-db-manage \
+  --config-file /etc/neutron/neutron.conf \
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+  --config-file /etc/neutron/plugins/tungstenfabric/tf_plugin.ini \
+{{- else }}
+  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+{{- end }}
+  upgrade head
+
+{{- if .Values.conf.plugins.taas.taas.enabled }}
+neutron-db-manage \
+  --config-file /etc/neutron/neutron.conf \
+  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+  --subproject tap-as-a-service \
+  upgrade head
+{{- end }}
diff --git a/charts/neutron/templates/bin/_health-probe.py.tpl b/charts/neutron/templates/bin/_health-probe.py.tpl
new file mode 100644
index 0000000..1ba4107
--- /dev/null
+++ b/charts/neutron/templates/bin/_health-probe.py.tpl
@@ -0,0 +1,334 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+"""
+Health probe script for OpenStack agents that uses RPC/unix domain socket for
+communication. Sends message to agent through rpc call method and expects a
+reply. It is expected to receive a failure from the agent's RPC server as the
+method does not exist.
+
+Script returns failure to Kubernetes only when
+  a. agent is not reachable or
+  b. agent times out sending a reply.
+
+sys.stderr.write() writes to pod's events on failures.
+
+Usage example for Neutron L3 agent:
+# python health-probe.py --config-file /etc/neutron/neutron.conf \
+#  --config-file /etc/neutron/l3_agent.ini --agent-queue-name l3_agent
+
+Usage example for Neutron metadata agent:
+# python health-probe.py --config-file /etc/neutron/neutron.conf \
+#  --config-file /etc/neutron/metadata_agent.ini
+"""
+
+import httplib2
+from http import client as httplib
+import json
+import os
+import psutil
+import signal
+import socket
+import sys
+
+from oslo_config import cfg
+from oslo_context import context
+from oslo_log import log
+import oslo_messaging
+
+rpc_timeout = int(os.getenv('RPC_PROBE_TIMEOUT', '60'))
+rpc_retries = int(os.getenv('RPC_PROBE_RETRIES', '2'))
+rabbit_port = 5672
+tcp_established = "ESTABLISHED"
+log.logging.basicConfig(level=log.{{ .Values.health_probe.logging.level }})
+
+
+def _get_hostname(use_fqdn):
+    if use_fqdn:
+        return socket.getfqdn()
+    return socket.gethostname()
+
+def check_agent_status(transport):
+    """Verify agent status. Return success if agent consumes message"""
+    try:
+        use_fqdn = cfg.CONF.use_fqdn
+        target = oslo_messaging.Target(
+            topic=cfg.CONF.agent_queue_name,
+            server=_get_hostname(use_fqdn))
+        client = oslo_messaging.RPCClient(transport, target,
+                                          timeout=rpc_timeout,
+                                          retry=rpc_retries)
+        client.call(context.RequestContext(),
+                    'pod_health_probe_method_ignore_errors')
+    except oslo_messaging.exceptions.MessageDeliveryFailure:
+        # Log to pod events
+        sys.stderr.write("Health probe unable to reach message bus")
+        sys.exit(0)  # return success
+    except oslo_messaging.rpc.client.RemoteError as re:
+        message = getattr(re, "message", str(re))
+        if ("Endpoint does not support RPC method" in message) or \
+                ("Endpoint does not support RPC version" in message):
+            sys.exit(0)  # Call reached the agent
+        else:
+            sys.stderr.write("Health probe unable to reach agent")
+            sys.exit(1)  # return failure
+    except oslo_messaging.exceptions.MessagingTimeout:
+        sys.stderr.write("Health probe timed out. Agent is down or response "
+                         "timed out")
+        sys.exit(1)  # return failure
+    except Exception as ex:
+        message = getattr(ex, "message", str(ex))
+        sys.stderr.write("Health probe caught exception sending message to "
+                         "agent: %s" % message)
+        sys.exit(0)
+    except:
+        sys.stderr.write("Health probe caught exception sending message to"
+                         " agent")
+        sys.exit(0)
+
+
+def sriov_readiness_check():
+    """Checks the sriov configuration on the sriov nic's"""
+    return_status = 1
+    with open('/etc/neutron/plugins/ml2/sriov_agent.ini') as nic:
+        for phy in nic:
+            if "physical_device_mappings" in phy:
+                phy_dev = phy.split('=', 1)[1]
+                phy_dev1 = phy_dev.rstrip().split(',')
+                if not phy_dev1:
+                    sys.stderr.write("No Physical devices"
+                                     " configured as SRIOV NICs")
+                    sys.exit(1)
+                for intf in phy_dev1:
+                    phy, dev = intf.split(':')
+                    try:
+                        with open('/sys/class/net/%s/device/'
+                                  'sriov_numvfs' % dev) as f:
+                            for line in f:
+                                numvfs = line.rstrip('\n')
+                                if numvfs:
+                                    return_status = 0
+                    except IOError:
+                        sys.stderr.write("IOError:No sriov_numvfs config file")
+    sys.exit(return_status)
+
+
+def get_rabbitmq_ports():
+    "Get RabbitMQ ports"
+
+    rabbitmq_ports = set()
+
+    try:
+        transport_url = oslo_messaging.TransportURL.parse(cfg.CONF)
+        for host in transport_url.hosts:
+            rabbitmq_ports.add(host.port)
+    except Exception as ex:
+        message = getattr(ex, "message", str(ex))
+        sys.stderr.write("Health probe caught exception reading "
+                         "RabbitMQ ports: %s" % message)
+        sys.exit(0)  # return success
+
+    return rabbitmq_ports
+
+
+def tcp_socket_state_check(agentq):
+    """Check if the tcp socket to rabbitmq is in Established state"""
+    rabbit_sock_count = 0
+    parentId = 0
+    if agentq == "l3_agent":
+        proc = "neutron-l3-agen"
+    elif agentq == "dhcp_agent":
+        proc = "neutron-dhcp-ag"
+    elif agentq == "q-agent-notifier-tunnel-update":
+        proc = "neutron-openvsw"
+    else:
+        proc = "neutron-metadat"
+
+    rabbitmq_ports = get_rabbitmq_ports()
+
+    for p in psutil.process_iter():
+        try:
+            with p.oneshot():
+                if proc in " ".join(p.cmdline()):
+                    if parentId == 0:
+                        parentId = p.pid
+                    else:
+                        if p.ppid() == parentId:
+                            continue
+                    pcon = p.connections()
+                    for con in pcon:
+                        try:
+                            port = con.raddr[1]
+                            status = con.status
+                        except IndexError:
+                            continue
+                        if port in rabbitmq_ports and\
+                                status == tcp_established:
+                            rabbit_sock_count = rabbit_sock_count + 1
+        except psutil.Error:
+            continue
+
+    if rabbit_sock_count == 0:
+        sys.stderr.write("RabbitMQ sockets not Established")
+        # Do not kill the pod if RabbitMQ is not reachable/down
+        if not cfg.CONF.liveness_probe:
+            sys.exit(1)
+
+
+class UnixDomainHTTPConnection(httplib.HTTPConnection):
+    """Connection class for HTTP over UNIX domain socket."""
+
+    def __init__(self, host, port=None, strict=None, timeout=None,
+                 proxy_info=None):
+        httplib.HTTPConnection.__init__(self, host, port, strict)
+        self.timeout = timeout
+        self.socket_path = cfg.CONF.metadata_proxy_socket
+
+    def connect(self):
+        self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        if self.timeout:
+            self.sock.settimeout(self.timeout)
+        self.sock.connect(self.socket_path)
+
+
+def test_socket_liveness():
+    """Test if agent can respond to message over the socket"""
+    cfg.CONF.register_cli_opt(cfg.BoolOpt('liveness-probe', default=False,
+                                          required=False))
+    cfg.CONF.register_cli_opt(cfg.BoolOpt('use-fqdn', default=False,
+                                          required=False))
+    cfg.CONF(sys.argv[1:])
+
+    agentq = "metadata_agent"
+    tcp_socket_state_check(agentq)
+
+    try:
+        metadata_proxy_socket = cfg.CONF.metadata_proxy_socket
+    except cfg.NoSuchOptError:
+        cfg.CONF.register_opt(cfg.StrOpt(
+            'metadata_proxy_socket',
+            default='/var/lib/neutron/openstack-helm/metadata_proxy'))
+
+    headers = {'X-Forwarded-For': '169.254.169.254',
+               'X-Neutron-Router-ID': 'pod-health-probe-check-ignore-errors'}
+
+    h = httplib2.Http(timeout=30)
+
+    try:
+        resp, content = h.request(
+            'http://169.254.169.254',
+            method='GET',
+            headers=headers,
+            connection_type=UnixDomainHTTPConnection)
+    except socket.error as se:
+        msg = "Socket error: Health probe failed to connect to " \
+              "Neutron Metadata agent: "
+        if se.strerror:
+            sys.stderr.write(msg + se.strerror)
+        elif getattr(se, "message", False):
+            sys.stderr.write(msg + se.message)
+        sys.exit(1)  # return failure
+    except Exception as ex:
+        message = getattr(ex, "message", str(ex))
+        sys.stderr.write("Health probe caught exception sending message to "
+                         "Neutron Metadata agent: %s" % message)
+        sys.exit(0)  # return success
+
+    if resp.status >= 500:  # Probe expects HTTP error code 404
+        msg = "Health probe failed: Neutron Metadata agent failed to" \
+              " process request: "
+        sys.stderr.write(msg + str(resp.__dict__))
+        sys.exit(1)  # return failure
+
+
+def test_rpc_liveness():
+    """Test if agent can consume message from queue"""
+    oslo_messaging.set_transport_defaults(control_exchange='neutron')
+
+    rabbit_group = cfg.OptGroup(name='oslo_messaging_rabbit',
+                                title='RabbitMQ options')
+    cfg.CONF.register_group(rabbit_group)
+    cfg.CONF.register_cli_opt(cfg.StrOpt('agent-queue-name'))
+    cfg.CONF.register_cli_opt(cfg.BoolOpt('liveness-probe', default=False,
+                                          required=False))
+    cfg.CONF.register_cli_opt(cfg.BoolOpt('use-fqdn', default=False,
+                                          required=False))
+
+    cfg.CONF(sys.argv[1:])
+
+    try:
+        transport = oslo_messaging.get_transport(cfg.CONF)
+    except Exception as ex:
+        message = getattr(ex, "message", str(ex))
+        sys.stderr.write("Message bus driver load error: %s" % message)
+        sys.exit(0)  # return success
+
+    if not cfg.CONF.transport_url or \
+            not cfg.CONF.agent_queue_name:
+        sys.stderr.write("Both message bus URL and agent queue name are "
+                         "required for Health probe to work")
+        sys.exit(0)  # return success
+
+    try:
+        cfg.CONF.set_override('rabbit_max_retries', 2,
+                              group=rabbit_group)  # 3 attempts
+    except cfg.NoSuchOptError as ex:
+        cfg.CONF.register_opt(cfg.IntOpt('rabbit_max_retries', default=2),
+                              group=rabbit_group)
+
+    agentq = cfg.CONF.agent_queue_name
+    tcp_socket_state_check(agentq)
+
+    check_agent_status(transport)
+
+def check_pid_running(pid):
+    if psutil.pid_exists(int(pid)):
+       return True
+    else:
+       return False
+
+if __name__ == "__main__":
+
+    if "liveness-probe" in ','.join(sys.argv):
+        pidfile = "/tmp/liveness.pid"  #nosec
+    else:
+        pidfile = "/tmp/readiness.pid"  #nosec
+    data = {}
+    if os.path.isfile(pidfile):
+        with open(pidfile,'r') as f:
+            data = json.load(f)
+        if check_pid_running(data['pid']):
+            if data['exit_count'] > 1:
+                # Third time in, kill the previous process
+                os.kill(int(data['pid']), signal.SIGTERM)
+            else:
+                data['exit_count'] = data['exit_count'] + 1
+                with open(pidfile, 'w') as f:
+                    json.dump(data, f)
+                sys.exit(0)
+    data['pid'] = os.getpid()
+    data['exit_count'] = 0
+    with open(pidfile, 'w') as f:
+        json.dump(data, f)
+
+    if "sriov_agent.ini" in ','.join(sys.argv):
+        sriov_readiness_check()
+    elif "metadata_agent.ini" not in ','.join(sys.argv):
+        test_rpc_liveness()
+    else:
+        test_socket_liveness()
+
+    sys.exit(0)  # return success
diff --git a/charts/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl b/charts/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl
new file mode 100644
index 0000000..e00b257
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if (has "openvswitch" .Values.network.backend) }}
+chown neutron: /run/openvswitch/db.sock
+{{- end }}
+
+# handle any bridge mappings
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`; do
+  bridge=${bmap%:*}
+  iface=${bmap#*:}
+{{- if (has "openvswitch" .Values.network.backend) }}
+  ovs-vsctl --no-wait --may-exist add-br $bridge
+  if [ -n "$iface" -a "$iface" != "null" ]; then
+    ovs-vsctl --no-wait --may-exist add-port $bridge $iface
+    ip link set dev $iface up
+  fi
+{{- else if (has "linuxbridge" .Values.network.backend) }}
+  set +e; ip link add name $bridge type bridge; set -e
+  ip link set dev $bridge up
+  [ -n "$iface" -a "$iface" != "null" ] && ip link set dev $iface master $bridge
+{{- end }}
+done
diff --git a/charts/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl b/charts/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl
new file mode 100644
index 0000000..3726dba
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec bagpipe-bgp
diff --git a/charts/neutron/templates/bin/_neutron-dhcp-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-dhcp-agent-init.sh.tpl
new file mode 100644
index 0000000..3df3315
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-dhcp-agent-init.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
new file mode 100644
index 0000000..0f73e5a
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec neutron-dhcp-agent \
+  --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+{{- if ( has "openvswitch" .Values.network.backend ) }}
+  --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
+{{- end }}
+  --config-file /etc/neutron/dhcp_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-ironic-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-ironic-agent.sh.tpl
new file mode 100644
index 0000000..0484c7d
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-ironic-agent.sh.tpl
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec ironic-neutron-agent \
+        --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+        --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/neutron/templates/bin/_neutron-l2gw-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-l2gw-agent.sh.tpl
new file mode 100644
index 0000000..bbf7ac6
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-l2gw-agent.sh.tpl
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec neutron-l2gateway-agent \
+      --config-file=/etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+      --config-file=/etc/neutron/l2gw_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-l3-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-l3-agent-init.sh.tpl
new file mode 100644
index 0000000..b9b93b2
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-l3-agent-init.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-l3-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-l3-agent.sh.tpl
new file mode 100644
index 0000000..2b64255
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-l3-agent.sh.tpl
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+
+exec neutron-l3-agent \
+      --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+      --config-file /etc/neutron/l3_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl
new file mode 100644
index 0000000..2ef5970
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe bridge
+chroot /mnt/host-rootfs modprobe ip6_tables
+chroot /mnt/host-rootfs modprobe ebtables
diff --git a/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl
new file mode 100644
index 0000000..ed95189
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# configure all bridge mappings defined in config
+# /tmp/auto_bridge_add is one line json file: {"br-ex1":"eth1","br-ex2":"eth2"}
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`
+do
+  bridge=${bmap%:*}
+  iface=${bmap#*:}
+  # adding existing bridge would break out the script when -e is set
+  set +e
+  ip link add name $bridge type bridge
+  set -e
+  ip link set dev $bridge up
+  if [ -n "$iface" ] && [ "$iface" != "null" ]
+  then
+    ip link set dev $iface  master $bridge
+  fi
+done
+
+tunnel_interface="{{- .Values.network.interface.tunnel -}}"
+if [ -z "${tunnel_interface}" ] ; then
+    # search for interface with tunnel network routing
+    tunnel_network_cidr="{{- .Values.network.interface.tunnel_network_cidr -}}"
+    if [ -z "${tunnel_network_cidr}" ] ; then
+        tunnel_network_cidr="0/0"
+    fi
+    # If there is not tunnel network gateway, exit
+    tunnel_interface=$(ip -4 route list ${tunnel_network_cidr} | awk -F 'dev' '{ print $2; exit }' \
+        | awk '{ print $1 }') || exit 1
+fi
+
+# determine local-ip dynamically based on interface provided but only if tunnel_types is not null
+LOCAL_IP=$(ip a s $tunnel_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}')
+if [ -z "${LOCAL_IP}" ] ; then
+  echo "Var LOCAL_IP is empty"
+  exit 1
+fi
+
+tee > /tmp/pod-shared/ml2-local-ip.ini << EOF
+[vxlan]
+local_ip = "${LOCAL_IP}"
+EOF
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-linuxbridge-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-linuxbridge-agent.sh.tpl
new file mode 100644
index 0000000..8948cb9
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-linuxbridge-agent.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec neutron-linuxbridge-agent \
+  --config-file /etc/neutron/neutron.conf \
+  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+  --config-file /tmp/pod-shared/ml2-local-ip.ini \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+  --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
new file mode 100644
index 0000000..5b6ce43
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+chown ${NEUTRON_USER_UID} /var/lib/neutron/openstack-helm
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-metadata-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
new file mode 100644
index 0000000..f93d169
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec neutron-metadata-agent \
+      --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+      --config-file /etc/neutron/metadata_agent.ini
+
diff --git a/charts/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl b/charts/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl
new file mode 100644
index 0000000..f4913ed
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl
@@ -0,0 +1,157 @@
+#!/usr/bin/env python
+
+import sys
+import os
+import time
+import socket
+from neutron.common import config
+from oslo_config import cfg
+from oslo_concurrency import processutils
+from neutron.agent.linux import dhcp
+from neutron.agent.l3 import namespaces
+from neutron.agent.l3 import dvr_snat_ns
+from neutron.agent.l3 import dvr_fip_ns
+from neutron.cmd.netns_cleanup import setup_conf
+from neutron.cmd.netns_cleanup import unplug_device
+from neutron.cmd.netns_cleanup import eligible_for_deletion
+from neutron.conf.agent import common as agent_config
+from neutron.agent.linux import ip_lib
+from keystoneauth1.identity import v3
+from keystoneauth1 import session
+from neutronclient.neutron import client as neutron_client
+NS_PREFIXES = {'l3': [namespaces.NS_PREFIX, dvr_snat_ns.SNAT_NS_PREFIX,
+                      dvr_fip_ns.FIP_NS_PREFIX]}
+DHCP_NS_PREFIX = dhcp.NS_PREFIX
+
+def get_neutron_creds():
+    opts = {'auth_url': os.getenv('OS_AUTH_URL', 'https://keystone-api.openstack.svc.cluster.local:5000/v3'),
+        'password': os.getenv('OS_PASSWORD','nopassword'),
+        'project_domain_name': os.getenv('OS_PROJECT_DOMAIN_NAME', 'default'),
+        'project_name': os.getenv('OS_PROJECT_NAME', 'admin'),
+        'user_domain_name': os.getenv('OS_USER_DOMAIN_NAME', 'default'),
+        'username': os.getenv('OS_USERNAME', 'admin'),
+        'cafile' : os.getenv('OS_CACERT','/var/lib/neutron/openstack-helm/openstack-helm.crt'),
+        'insecure' : os.getenv('NEUTRON_CLEANUP_INSECURE', 'true'),
+        'debug': os.getenv('NEUTRON_CLEANUP_DEBUG', 'true'),
+        'wait': os.getenv('NEUTRON_CLEANUP_TIMEOUT', '600')}
+    return opts
+
+def ldestroy_namespace(conf, namespace):
+    try:
+        ip = ip_lib.IPWrapper(namespace=namespace)
+        if ip.netns.exists(namespace):
+            cmd = ['ip', 'netns', 'pids', namespace]
+            output = processutils.execute(*cmd, run_as_root=True, root_helper=conf.AGENT.root_helper)
+            for pid in output[0].splitlines():
+                utils.kill_process(pid, signal.SIGTERM, run_as_root=True, root_helper=conf.AGENT.root_helper)
+            for device in ip.get_devices():
+                unplug_device(device)
+        ip.garbage_collect_namespace()
+    except Exception as e:
+        sys.stderr.write("Error - unable to destroy namespace: {} : {}\n".format(namespace, e))
+
+def net_list(neutron_get):
+    hosts = dict()
+    net_list = neutron_get.list_networks()
+    if net_list['networks']:
+        for item in net_list['networks']:
+            net_id=item['id']
+            dhcp_agents = neutron_get.list_dhcp_agent_hosting_networks(net_id)['agents']
+            agents = list()
+            if dhcp_agents:
+                 for agent in dhcp_agents:
+                     agents.append(agent['host'].split('.')[0])
+            hosts[net_id] = agents
+    return hosts
+
+def sort_ns(all_ns, dhcp_prefix):
+    dhcp_ns = list()
+    not_dhcp_ns = list()
+    for ns in  all_ns:
+        if ns[:len(dhcp_prefix)] == dhcp_prefix:
+            dhcp_ns.append(ns)
+        else:
+            not_dhcp_ns.append(ns)
+    return dhcp_ns, not_dhcp_ns
+
+def del_bad_dhcp(dhcp_ns, dhcp_hosts, conf, dhcp_prefix, debug):
+    for ns in dhcp_ns:
+        cut_ns_name = ns[len(dhcp_prefix):]
+        if cut_ns_name in dhcp_hosts:
+            if hostname not in dhcp_hosts[cut_ns_name]:
+                ldestroy_namespace(conf, ns)
+                if debug:
+                    sys.stderr.write("DEBUG: {} host {} deleted {} because host wrong\n"
+                                     .format(sys.argv[0], hostname, ns))
+            else:
+                if debug:
+                    sys.stderr.write("DEBUG: {} host {} {} looks ok\n"
+                                     .format(sys.argv[0], hostname, ns))
+        else:
+            ldestroy_namespace(conf, ns)
+            if debug:
+                sys.stderr.write("DEBUG: {} host {} deleted {} because no related network found\n"
+                                 .format(sys.argv[0], hostname, ns))
+
+def del_bad_not_dhcp(not_dhcp_ns, conf, debug):
+    for ns in not_dhcp_ns:
+        if eligible_for_deletion(conf, ns, conf.force):
+            ldestroy_namespace(conf, ns)
+            if debug:
+                sys.stderr.write("DEBUG: {} host {} deleted {} because no IP addr\n"
+                                 .format(sys.argv[0], hostname, ns))
+
+if __name__ == "__main__":
+
+    conf = setup_conf()
+    cfg.CONF(sys.argv[1:])
+    opts = get_neutron_creds()
+    debug = False
+    verify= False
+    if opts.pop('debug') in ('true', '1', 'True'):
+        debug = True
+    insecure = opts.pop('insecure')
+    cafile = opts.pop('cafile')
+    if insecure in ('false', '0', 'False'):
+        verify = cafile
+    timeout = int(opts.pop('wait'))
+    conf()
+    config.setup_logging()
+    agent_config.setup_privsep()
+    auth = v3.Password(**opts)
+    hostname = socket.gethostname().split('.')[0]
+
+    while True:
+        try:
+            all_ns = ip_lib.list_network_namespaces()
+            sess = session.Session(auth=auth, verify=verify)
+            neutron_get = neutron_client.Client('2.0', session=sess)
+            dhcp_hosts = net_list(neutron_get)
+            if all_ns:
+                dhcp_ns, not_dhcp_ns = sort_ns(all_ns, DHCP_NS_PREFIX)
+                if dhcp_ns:
+                    del_bad_dhcp(dhcp_ns, dhcp_hosts, conf, DHCP_NS_PREFIX, debug)
+                else:
+                    if debug:
+                        sys.stderr.write("DEBUG: {} host {} no dhcp ns found\n"
+                                         .format(sys.argv[0], hostname))
+                if not_dhcp_ns:
+                    del_bad_not_dhcp(not_dhcp_ns, conf, debug)
+                else:
+                    if debug:
+                        sys.stderr.write("DEBUG: {} host {} no not_dhcp ns found\n"
+                                         .format(sys.argv[0], hostname))
+            else:
+                if debug:
+                    sys.stderr.write("DEBUG: {} host {} no ns found at all\n"
+                                     .format(sys.argv[0], hostname))
+        except Exception as ex:
+            sys.stderr.write(
+                "Cleaning network namespaces caught an exception %s"
+                % str(ex))
+            time.sleep(30)
+        except:
+            sys.stderr.write(
+                "Cleaning network namespaces caught an exception")
+            time.sleep(30)
+        time.sleep(timeout)
\ No newline at end of file
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl
new file mode 100644
index 0000000..a243867
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe ip6_tables
+
+{{- if .Values.conf.ovs_dpdk.enabled }}
+chroot /mnt/host-rootfs modprobe {{ .Values.conf.ovs_dpdk.driver | quote }}
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl
new file mode 100644
index 0000000..3283e09
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl
@@ -0,0 +1,496 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+OVS_SOCKET=/run/openvswitch/db.sock
+chown neutron: ${OVS_SOCKET}
+
+# This enables the usage of 'ovs-appctl' from neutron pod.
+OVS_PID=$(cat /run/openvswitch/ovs-vswitchd.pid)
+OVS_CTL=/run/openvswitch/ovs-vswitchd.${OVS_PID}.ctl
+chown neutron: ${OVS_CTL}
+
+function get_dpdk_config_value {
+  values=$1
+  filter=$2
+  value=$(echo ${values} | jq -r ${filter})
+  if [[ "${value}" == "null" ]]; then
+    echo ""
+  else
+    echo "${value}"
+  fi
+}
+
+
+DPDK_CONFIG_FILE=/tmp/dpdk.conf
+DPDK_CONFIG=""
+DPDK_ENABLED=false
+if [ -f ${DPDK_CONFIG_FILE} ]; then
+  DPDK_CONFIG=$(cat ${DPDK_CONFIG_FILE})
+  if [[ $(get_dpdk_config_value ${DPDK_CONFIG} '.enabled') == "true" ]]; then
+    DPDK_ENABLED=true
+  fi
+fi
+
+function bind_nic {
+  echo $2 > /sys/bus/pci/devices/$1/driver_override
+  echo $1 > /sys/bus/pci/drivers/$2/bind
+}
+
+function unbind_nic {
+  echo $1 > /sys/bus/pci/drivers/$2/unbind
+  echo > /sys/bus/pci/devices/$1/driver_override
+}
+
+function get_name_by_pci_id {
+  path=$(find /sys/bus/pci/devices/$1/ -name net)
+  if [ -n "${path}" ] ; then
+    echo $(ls -1 $path/)
+  fi
+}
+
+function get_ip_address_from_interface {
+  local interface=$1
+  local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $1}')
+  if [ -z "${ip}" ] ; then
+    exit 1
+  fi
+  echo ${ip}
+}
+
+function get_ip_prefix_from_interface {
+  local interface=$1
+  local prefix=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $2}')
+  if [ -z "${prefix}" ] ; then
+    exit 1
+  fi
+  echo ${prefix}
+}
+
+function migrate_ip {
+  pci_id=$1
+  bridge_name=$2
+
+  local src_nic=$(get_name_by_pci_id ${pci_id})
+  if [ -n "${src_nic}" ] ; then
+    bridge_exists=$(ip a s "${bridge_name}" | grep "${bridge_name}" | cut -f2 -d':' 2> /dev/null)
+    if [ -z "${bridge_exists}" ] ; then
+      echo "Bridge "${bridge_name}" does not exist. Creating it on demand."
+      init_ovs_dpdk_bridge "${bridge_name}"
+    fi
+
+    migrate_ip_from_nic ${src_nic} ${bridge_name}
+  fi
+}
+
+function migrate_ip_from_nic {
+  src_nic=$1
+  bridge_name=$2
+
+  # Enabling explicit error handling: We must avoid to lose the IP
+  # address in the migration process. Hence, on every error, we
+  # attempt to assign the IP back to the original NIC and exit.
+  set +e
+
+  ip=$(get_ip_address_from_interface ${src_nic})
+  prefix=$(get_ip_prefix_from_interface ${src_nic})
+
+  bridge_ip=$(get_ip_address_from_interface "${bridge_name}")
+  bridge_prefix=$(get_ip_prefix_from_interface "${bridge_name}")
+
+  ip link set ${bridge_name} up
+
+  if [[ -n "${ip}" && -n "${prefix}" ]]; then
+    ip addr flush dev ${src_nic}
+    if [ $? -ne 0 ] ; then
+      ip addr add ${ip}/${prefix} dev ${src_nic}
+      echo "Error while flushing IP from ${src_nic}."
+      exit 1
+    fi
+
+    ip addr add ${ip}/${prefix} dev "${bridge_name}"
+    if [ $? -ne 0 ] ; then
+      echo "Error assigning IP to bridge "${bridge_name}"."
+      ip addr add ${ip}/${prefix} dev ${src_nic}
+      exit 1
+    fi
+  elif [[ -n "${bridge_ip}" && -n "${bridge_prefix}" ]]; then
+    echo "Bridge '${bridge_name}' already has IP assigned. Keeping the same:: IP:[${bridge_ip}]; Prefix:[${bridge_prefix}]..."
+  elif [[ -z "${bridge_ip}" && -z "${ip}" ]]; then
+    echo "Interface and bridge have no ips configured. Leaving as is."
+  else
+    echo "Interface ${name} has invalid IP address. IP:[${ip}]; Prefix:[${prefix}]..."
+    exit 1
+  fi
+
+  set -e
+}
+
+function get_pf_or_vf_pci {
+  dpdk_pci_id=${1}
+  vf_index=${2}
+
+  if [ -n "$vf_index" ]
+  then
+    iface=$(get_name_by_pci_id "${dpdk_pci_id}")
+    sysfs_numvfs_path="/sys/class/net/${iface}/device/sriov_numvfs"
+    if [[ -f /sys/class/net/${iface}/device/sriov_numvfs &&
+          "$(cat /sys/class/net/${iface}/device/sriov_numvfs)" -ne "0" &&
+          -e /sys/class/net/${iface}/device/virtfn${vf_index} ]]
+    then
+      dpdk_pci_id=$(ls -la /sys/class/net/${iface}/device/virtfn${vf_index})
+      dpdk_pci_id=${dpdk_pci_id#*"../"}
+    else
+      echo "Error fetching the VF PCI for PF: ["${iface}", "${dpdk_pci_id}"] and VF-Index: ${vf_index}."
+      exit 1
+    fi
+  fi
+}
+
+function bind_dpdk_nic {
+  target_driver=${1}
+  pci_id=${2}
+
+  current_driver="$(get_driver_by_address "${pci_id}" )"
+  if [ "$current_driver" != "$target_driver" ]; then
+    if [ "$current_driver" != "" ]; then
+      unbind_nic "${pci_id}" ${current_driver}
+    fi
+    bind_nic "${pci_id}" ${target_driver}
+  fi
+}
+
+function process_dpdk_nics {
+  target_driver=$(get_dpdk_config_value ${DPDK_CONFIG} '.driver')
+  # loop over all nics
+  echo $DPDK_CONFIG | jq -r -c '.nics[]' | \
+  while IFS= read -r nic; do
+    local port_name=$(get_dpdk_config_value ${nic} '.name')
+    local pci_id=$(get_dpdk_config_value ${nic} '.pci_id')
+    local bridge=$(get_dpdk_config_value ${nic} '.bridge')
+    local vf_index=$(get_dpdk_config_value ${nic} '.vf_index')
+
+    if [[ $(get_dpdk_config_value ${nic} '.migrate_ip') == true ]] ; then
+      migrate_ip "${pci_id}" "${bridge}"
+    fi
+
+    iface=$(get_name_by_pci_id "${pci_id}")
+
+    if [ -n "${iface}" ]; then
+      ip link set ${iface} promisc on
+      if [ -n "${vf_index}" ]; then
+        vf_string="vf ${vf_index}"
+        ip link set ${iface} ${vf_string} trust on
+
+        # NOTE: To ensure proper toggle of spoofchk,
+        # turn it on then off.
+        ip link set ${iface} ${vf_string} spoofchk on
+        ip link set ${iface} ${vf_string} spoofchk off
+      fi
+    fi
+
+    # Fetch the PCI to be bound to DPDK driver.
+    # In case VF Index is configured then PCI of that particular VF
+    # is bound to DPDK, otherwise PF PCI is bound to DPDK.
+    get_pf_or_vf_pci "${pci_id}" "${vf_index}"
+
+    bind_dpdk_nic ${target_driver} "${dpdk_pci_id}"
+
+    dpdk_options=""
+    ofport_request=$(get_dpdk_config_value ${nic} '.ofport_request')
+    if [ -n "${ofport_request}" ]; then
+      dpdk_options+='ofport_request=${ofport_request} '
+    fi
+    n_rxq=$(get_dpdk_config_value ${nic} '.n_rxq')
+    if [ -n "${n_rxq}" ]; then
+      dpdk_options+='options:n_rxq=${n_rxq} '
+    fi
+    n_txq=$(get_dpdk_config_value ${nic} '.n_txq')
+    if [ -n "${n_txq}" ]; then
+      dpdk_options+='options:n_txq=${n_txq} '
+    fi
+    pmd_rxq_affinity=$(get_dpdk_config_value ${nic} '.pmd_rxq_affinity')
+    if [ -n "${pmd_rxq_affinity}" ]; then
+      dpdk_options+='other_config:pmd-rxq-affinity=${pmd_rxq_affinity} '
+    fi
+    mtu=$(get_dpdk_config_value ${nic} '.mtu')
+    if [ -n "${mtu}" ]; then
+      dpdk_options+='mtu_request=${mtu} '
+    fi
+    n_rxq_size=$(get_dpdk_config_value ${nic} '.n_rxq_size')
+    if [ -n "${n_rxq_size}" ]; then
+      dpdk_options+='options:n_rxq_desc=${n_rxq_size} '
+    fi
+    n_txq_size=$(get_dpdk_config_value ${nic} '.n_txq_size')
+    if [ -n "${n_txq_size}" ]; then
+      dpdk_options+='options:n_txq_desc=${n_txq_size} '
+    fi
+    vhost_iommu_support=$(get_dpdk_config_value ${nic} '.vhost-iommu-support')
+    if [ -n "${vhost_iommu_support}" ]; then
+      dpdk_options+='options:vhost-iommu-support=${vhost_iommu_support} '
+    fi
+
+    ovs-vsctl --db=unix:${OVS_SOCKET} --may-exist add-port ${bridge} ${port_name} \
+       -- set Interface ${port_name} type=dpdk options:dpdk-devargs=${pci_id} ${dpdk_options}
+
+  done
+}
+
+function process_dpdk_bonds {
+  target_driver=$(get_dpdk_config_value ${DPDK_CONFIG} '.driver')
+  # loop over all bonds
+  echo $DPDK_CONFIG | jq -r -c '.bonds[]' > /tmp/bonds_array
+  while IFS= read -r bond; do
+    local bond_name=$(get_dpdk_config_value ${bond} '.name')
+    local dpdk_bridge=$(get_dpdk_config_value ${bond} '.bridge')
+    local migrate_ip=$(get_dpdk_config_value ${bond} '.migrate_ip')
+    local mtu=$(get_dpdk_config_value ${bond} '.mtu')
+    local n_rxq=$(get_dpdk_config_value ${bond} '.n_rxq')
+    local n_txq=$(get_dpdk_config_value ${bond} '.n_txq')
+    local ofport_request=$(get_dpdk_config_value ${bond} '.ofport_request')
+    local n_rxq_size=$(get_dpdk_config_value ${bond} '.n_rxq_size')
+    local n_txq_size=$(get_dpdk_config_value ${bond} '.n_txq_size')
+    local vhost_iommu_support=$(get_dpdk_config_value ${bond} '.vhost-iommu-support')
+    local ovs_options=$(get_dpdk_config_value ${bond} '.ovs_options')
+
+    local nic_name_str=""
+    local dev_args_str=""
+    local ip_migrated=false
+
+    echo $bond | jq -r -c '.nics[]' > /tmp/nics_array
+    while IFS= read -r nic; do
+      local pci_id=$(get_dpdk_config_value ${nic} '.pci_id')
+      local nic_name=$(get_dpdk_config_value ${nic} '.name')
+      local pmd_rxq_affinity=$(get_dpdk_config_value ${nic} '.pmd_rxq_affinity')
+      local vf_index=$(get_dpdk_config_value ${nic} '.vf_index')
+      local vf_string=""
+
+      if [[ ${migrate_ip} = "true" && ${ip_migrated} = "false" ]]; then
+        migrate_ip "${pci_id}" "${dpdk_bridge}"
+        ip_migrated=true
+      fi
+
+      iface=$(get_name_by_pci_id "${pci_id}")
+
+      if [ -n "${iface}" ]; then
+        ip link set ${iface} promisc on
+        if [ -n "${vf_index}" ]; then
+          vf_string="vf ${vf_index}"
+          ip link set ${iface} ${vf_string} trust on
+
+          # NOTE: To ensure proper toggle of spoofchk,
+          # turn it on then off.
+          ip link set ${iface} ${vf_string} spoofchk on
+          ip link set ${iface} ${vf_string} spoofchk off
+        fi
+      fi
+
+      # Fetch the PCI to be bound to DPDK driver.
+      # In case VF Index is configured then PCI of that particular VF
+      # is bound to DPDK, otherwise PF PCI is bound to DPDK.
+      get_pf_or_vf_pci "${pci_id}" "${vf_index}"
+
+      bind_dpdk_nic ${target_driver} "${dpdk_pci_id}"
+
+      nic_name_str+=" "${nic_name}""
+      dev_args_str+=" -- set Interface "${nic_name}" type=dpdk options:dpdk-devargs=""${dpdk_pci_id}"
+
+      if [[ -n ${mtu} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" mtu_request=${mtu}"
+      fi
+
+      if [[ -n ${n_rxq} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" options:n_rxq=${n_rxq}"
+      fi
+
+      if [[ -n ${n_txq} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" options:n_txq=${n_txq}"
+      fi
+
+      if [[ -n ${ofport_request} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" ofport_request=${ofport_request}"
+      fi
+
+      if [[ -n ${pmd_rxq_affinity} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" other_config:pmd-rxq-affinity=${pmd_rxq_affinity}"
+      fi
+
+      if [[ -n ${n_rxq_size} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" options:n_rxq_desc=${n_rxq_size}"
+      fi
+
+      if [[ -n ${n_txq_size} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" options:n_txq_desc=${n_txq_size}"
+      fi
+
+      if [[ -n ${vhost_iommu_support} ]]; then
+        dev_args_str+=" -- set Interface "${nic_name}" options:vhost-iommu-support=${vhost_iommu_support}"
+      fi
+    done < /tmp/nics_array
+
+    if [ "${UPDATE_DPDK_BOND_CONFIG}" == "true" ]; then
+      echo -e "NOTE: UPDATE_DPDK_BOND_CONFIG is set to true.\
+      \nThis might cause disruptions in ovs traffic.\
+      \nTo avoid this disruption set UPDATE_DPDK_BOND_CONFIG to false."
+      ovs-vsctl --db=unix:${OVS_SOCKET} set Bridge "${dpdk_bridge}" other_config:update_config=true
+      ovs_update_config=true
+    else
+      ovs_update_config=$(ovs-vsctl --columns=other_config --no-heading -d json list bridge "${dpdk_bridge}" \
+        | jq -r '.[1][] as $list | if $list[0] == "update_config" then $list[1] else empty end')
+    fi
+
+
+    if [ "${ovs_update_config}" == "true" ] || [ "${ovs_update_config}" == "" ];
+    then
+      ovs-vsctl --db=unix:${OVS_SOCKET} --if-exists del-port "${bond_name}"
+      ovs-vsctl --db=unix:${OVS_SOCKET} set Bridge "${dpdk_bridge}" other_config:update_config=false
+      ovs-vsctl --db=unix:${OVS_SOCKET} --may-exist add-bond "${dpdk_bridge}" "${bond_name}" \
+        ${nic_name_str} \
+        "${ovs_options}" ${dev_args_str}
+    fi
+
+  done < "/tmp/bonds_array"
+}
+
+function set_dpdk_module_log_level {
+  # loop over all target modules
+  if [ -n "$(get_dpdk_config_value ${DPDK_CONFIG} '.modules')" ]; then
+    echo $DPDK_CONFIG | jq -r -c '.modules[]' > /tmp/modules_array
+    while IFS= read -r module; do
+      local mod_name=$(get_dpdk_config_value ${module} '.name')
+      local mod_level=$(get_dpdk_config_value ${module} '.log_level')
+
+      ovs-appctl -t ${OVS_CTL} vlog/set ${mod_name}:${mod_level}
+      ovs-appctl -t ${OVS_CTL} vlog/list|grep ${mod_name}
+    done < /tmp/modules_array
+  fi
+}
+
+function get_driver_by_address {
+  if [[ -e /sys/bus/pci/devices/$1/driver ]]; then
+    echo $(ls /sys/bus/pci/devices/$1/driver -al | awk '{n=split($NF,a,"/"); print a[n]}')
+  fi
+}
+
+function init_ovs_dpdk_bridge {
+  bridge=$1
+  ovs-vsctl --db=unix:${OVS_SOCKET} --may-exist add-br ${bridge} \
+  -- set Bridge ${bridge} datapath_type=netdev
+  ip link set ${bridge} up
+}
+
+# create all additional bridges defined in the DPDK section
+function init_ovs_dpdk_bridges {
+  for br in $(get_dpdk_config_value ${DPDK_CONFIG} '.bridges[].name'); do
+    init_ovs_dpdk_bridge ${br}
+  done
+}
+
+# handle any bridge mappings
+# /tmp/auto_bridge_add is one line json file: {"br-ex1":"eth1","br-ex2":"eth2"}
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`
+do
+  bridge=${bmap%:*}
+  iface=${bmap#*:}
+  ovs-vsctl --no-wait --may-exist add-br $bridge
+  if [ -n "$iface" ] && [ "$iface" != "null" ]
+  then
+    ovs-vsctl --no-wait --may-exist add-port $bridge $iface
+    migrate_ip_from_nic $iface $bridge
+    if [[ $(get_dpdk_config_value ${DPDK_CONFIG} '.enabled') != "true" ]]; then
+      ip link set dev $iface up
+    fi
+  fi
+done
+
+tunnel_types="{{- .Values.conf.plugins.openvswitch_agent.agent.tunnel_types -}}"
+if [[ -n "${tunnel_types}" ]] ; then
+    tunnel_interface="{{- .Values.network.interface.tunnel -}}"
+    if [ -z "${tunnel_interface}" ] ; then
+        # search for interface with tunnel network routing
+        tunnel_network_cidr="{{- .Values.network.interface.tunnel_network_cidr -}}"
+        if [ -z "${tunnel_network_cidr}" ] ; then
+            tunnel_network_cidr="0/0"
+        fi
+        # If there is not tunnel network gateway, exit
+        tunnel_interface=$(ip -4 route list ${tunnel_network_cidr} | awk -F 'dev' '{ print $2; exit }' \
+            | awk '{ print $1 }') || exit 1
+    fi
+fi
+
+if [[ "${DPDK_ENABLED}" == "true" ]]; then
+  init_ovs_dpdk_bridges
+  process_dpdk_nics
+  process_dpdk_bonds
+  set_dpdk_module_log_level
+fi
+
+# determine local-ip dynamically based on interface provided but only if tunnel_types is not null
+if [[ -n "${tunnel_types}" ]] ; then
+  LOCAL_IP=$(get_ip_address_from_interface ${tunnel_interface})
+  if [ -z "${LOCAL_IP}" ] ; then
+    echo "Var LOCAL_IP is empty"
+    exit 1
+  fi
+
+tee > /tmp/pod-shared/ml2-local-ip.ini << EOF
+[ovs]
+local_ip = "${LOCAL_IP}"
+EOF
+
+  if [[ "${DPDK_ENABLED}" == "true" ]]; then
+    PREFIX=$(get_ip_prefix_from_interface "${tunnel_interface}")
+
+    # loop over all nics
+    echo $DPDK_CONFIG | jq -r -c '.bridges[]' | \
+    while IFS= read -r br; do
+      bridge_name=$(get_dpdk_config_value ${br} '.name')
+      tunnel_underlay_vlan=$(get_dpdk_config_value ${br} '.tunnel_underlay_vlan')
+
+      if [[ "${bridge_name}" == "${tunnel_interface}" ]]; then
+        # Route the tunnel traffic via the physical bridge
+        if [[ -n "${LOCAL_IP}" && -n "${PREFIX}" ]]; then
+          if [[ -n $(ovs-appctl -t ${OVS_CTL} ovs/route/show | grep "${LOCAL_IP}" | grep -v '^Cached:') ]]; then
+            ovs-appctl -t ${OVS_CTL} ovs/route/del "${LOCAL_IP}"/"${PREFIX}"
+          fi
+          ovs-appctl -t ${OVS_CTL} ovs/route/add "${LOCAL_IP}"/"${PREFIX}" "${tunnel_interface}"
+
+          if [[ -n "${tunnel_underlay_vlan}" ]]; then
+            # If there is not tunnel network gateway, exit
+            IFS=. read -r i1 i2 i3 i4 <<< "${LOCAL_IP}"
+            IFS=. read -r xx m1 m2 m3 m4 <<< $(for a in $(seq 1 32); do if [ $(((a - 1) % 8)) -eq 0 ]; then echo -n .; fi; if [ $a -le ${PREFIX} ]; then echo -n 1; else echo -n 0; fi; done)
+            tunnel_network_cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & (2#$m1)))" "$((i2 & (2#$m2)))" "$((i3 & (2#$m3)))" "$((i4 & (2#$m4)))") || exit 1
+            # Put a new flow to tag all the tunnel traffic with configured vlan-id
+            if [[ -n $(ovs-ofctl dump-flows "${tunnel_interface}" | grep "nw_dst=${tunnel_network_cidr}") ]]; then
+              ovs-ofctl del-flows "${tunnel_interface}" "cookie=0x9999/-1, table=0, ip,nw_dst=${tunnel_network_cidr}"
+            fi
+            ovs-ofctl add-flow "${tunnel_interface}" "cookie=0x9999, table=0, priority=8, ip,nw_dst=${tunnel_network_cidr}, actions=mod_vlan_vid:${tunnel_underlay_vlan},NORMAL"
+          fi
+        fi
+        break
+      fi
+    done
+  fi
+fi
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent-readiness.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent-readiness.sh.tpl
new file mode 100644
index 0000000..783ec4a
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent-readiness.sh.tpl
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -e
+
+OVS_PID=$(cat /run/openvswitch/ovs-vswitchd.pid)
+OVS_CTL=/run/openvswitch/ovs-vswitchd.${OVS_PID}.ctl
+
+ovs-vsctl list-br | grep -q br-int
+
+[ -z "$(/usr/bin/ovs-vsctl show | grep error:)" ]
+
+{{ if .Values.conf.ovs_dpdk.enabled }}
+  {{- if hasKey .Values.conf.ovs_dpdk "nics"}}
+    # Check if port(s) and bridge(s) are configured.
+    {{- range .Values.conf.ovs_dpdk.nics }}
+      ovs-vsctl list-br | grep -q {{ .bridge }}
+      ovs-vsctl list-ports {{ .bridge }} | grep -q {{ .name }}
+    {{- end }}
+  {{- end }}
+
+  {{- if hasKey .Values.conf.ovs_dpdk "bonds"}}
+    # Check if bond(s) and slave(s) are configured.
+    {{- range .Values.conf.ovs_dpdk.bonds }}
+      bond={{ .name }}
+      ovs-appctl -t ${OVS_CTL} bond/list | grep -q  ${bond}
+      {{- range .nics }}
+        ovs-appctl -t ${OVS_CTL} bond/show ${bond} | grep -q "slave {{ .name }}"
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{ end }}
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl
new file mode 100644
index 0000000..5ad8b4d
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec neutron-openvswitch-agent \
+  --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+{{- if .Values.conf.plugins.openvswitch_agent.agent.tunnel_types }}
+  --config-file /tmp/pod-shared/ml2-local-ip.ini \
+{{- end }}
+{{- if .Values.conf.plugins.taas.taas.enabled }}
+  --config-file /etc/neutron/plugins/ml2/taas.ini \
+{{- end }}
+  --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
+  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
diff --git a/charts/neutron/templates/bin/_neutron-server.sh.tpl b/charts/neutron/templates/bin/_neutron-server.sh.tpl
new file mode 100644
index 0000000..83ca918
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-server.sh.tpl
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec neutron-server \
+        --config-file /etc/neutron/neutron.conf \
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+        --config-file /etc/neutron/plugins/tungstenfabric/tf_plugin.ini
+{{- else }}
+        --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
+{{- end }}
+{{- if .Values.conf.plugins.taas.taas.enabled }} \
+        --config-file /etc/neutron/taas_plugin.ini
+{{- end }}
+{{- if ( has "sriov" .Values.network.backend ) }} \
+        --config-file /etc/neutron/plugins/ml2/sriov_agent.ini
+{{- end }}
+{{- if .Values.conf.plugins.l2gateway }} \
+        --config-file /etc/neutron/l2gw_plugin.ini
+{{- end }}
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/neutron/templates/bin/_neutron-sriov-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-sriov-agent-init.sh.tpl
new file mode 100644
index 0000000..d98cfe8
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-sriov-agent-init.sh.tpl
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+#NOTE: Please limit "besteffort" to dev env with mixed hardware computes only
+#      For prod env, the target nic should be there, if not, script should error out.
+set -ex
+BESTEFFORT=false
+{{- if ( has "besteffort" .Values.conf.sriov_init ) }}
+set +e
+BESTEFFORT=true
+{{- end }}
+
+{{- range $k, $sriov := .Values.network.interface.sriov }}
+if [ "x{{ $sriov.num_vfs }}" != "x" ]; then
+  echo "{{ $sriov.num_vfs }}" > /sys/class/net/{{ $sriov.device }}/device/sriov_numvfs
+else
+  #NOTE(portdirect): Many NICs have difficulty creating more than n-1 over their
+  # claimed limit, by default err on the side of caution and account for this
+  # limitation.
+  TOT_NUM_VFS=$(cat /sys/class/net/{{ $sriov.device }}/device/sriov_totalvfs)
+  if [[ "$TOT_NUM_VFS" -le "0" ]]; then
+    NUM_VFS="$TOT_NUM_VFS"
+  else
+    if [[ "$((TOT_NUM_VFS - 1 ))" -le "1" ]]; then
+      NUM_VFS=1
+    else
+      NUM_VFS="$((TOT_NUM_VFS - 1 ))"
+    fi
+  fi
+  echo "${NUM_VFS}" > /sys/class/net/{{ $sriov.device }}/device/sriov_numvfs
+fi
+
+{{- if hasKey $sriov "qos" -}}
+{{- range $v, $qos := $sriov.qos }}
+echo "{{ $qos.share }}" > /sys/class/net/{{ $sriov.device }}/device/sriov/{{ $qos.vf_num }}/qos/share
+{{- end}}
+echo "1" > /sys/class/net/{{ $sriov.device }}/device/sriov/qos/apply
+{{- end }}
+
+# Set number of queues is best effort in case where VF is already binded,
+# NIC will not allow to set, in such case, a node reboot will allow all
+# VF to set properly.
+{{- if hasKey $sriov "queues_per_vf" }}
+set +e
+{{- range $v, $qvf := $sriov.queues_per_vf }}
+SMOKE=','
+MIRROR=' '
+SKIPLIST={{ $qvf.exclude_vf }}
+SKIPLIST=${SKIPLIST//$SMOKE/$MIRROR}
+
+NUMVF={{ $sriov.num_vfs }}
+for vf in `seq 0 $[$NUMVF - 1]`
+do
+  if ! ( echo ${SKIPLIST[@]} | grep -q -w "$vf" ); then
+    echo "{{ $qvf.num_queues }}" > /sys/class/net/{{ $sriov.device }}/device/sriov/$vf/num_queues
+  fi
+done
+
+{{- end }}
+if ! $BESTEFFORT; then
+  set -e
+fi
+{{- end }}
+
+{{- if $sriov.mtu }}
+ip link set dev {{ $sriov.device }} mtu {{ $sriov.mtu }}
+{{- end }}
+ip link set {{ $sriov.device }} up
+ip link show {{ $sriov.device }}
+
+{{- if $sriov.promisc }}
+promisc_mode="on"
+{{- else }}
+promisc_mode="off"
+{{- end }}
+ip link set {{ $sriov.device }} promisc ${promisc_mode}
+#NOTE(portdirect): get the bus that the port is on
+NIC_BUS=$(lshw -c network -businfo | awk '/{{ $sriov.device }}/ {print $1}')
+#NOTE(portdirect): get first port on the nic
+NIC_FIRST_PORT=$(lshw -c network -businfo | awk "/${NIC_BUS%%.*}/ { print \$2; exit }")
+#NOTE(portdirect): Enable promisc mode on the nic, by setting it for the 1st port
+ethtool --set-priv-flags ${NIC_FIRST_PORT} vf-true-promisc-support ${promisc_mode}
+{{- end }}
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
+
+if $BESTEFFORT; then
+  exit 0
+fi
diff --git a/charts/neutron/templates/bin/_neutron-sriov-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-sriov-agent.sh.tpl
new file mode 100644
index 0000000..982c9e7
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-sriov-agent.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec neutron-sriov-nic-agent \
+  --config-file /etc/neutron/neutron.conf \
+  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+  --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+{{- if .Values.conf.plugins.taas.taas.enabled }}
+  --config-file /etc/neutron/plugins/ml2/taas.ini \
+{{- end }}
+  --config-file /etc/neutron/plugins/ml2/sriov_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-test-force-cleanup.sh.tpl b/charts/neutron/templates/bin/_neutron-test-force-cleanup.sh.tpl
new file mode 100644
index 0000000..90d85dd
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-test-force-cleanup.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+
+if openstack project show "${OS_TEST_PROJECT_NAME}" --domain="${OS_TEST_PROJECT_DOMAIN_NAME}" ; then
+  OS_TEST_PROJECT_ID=$(openstack project show "${OS_TEST_PROJECT_NAME}" -f value -c id --domain="${OS_TEST_PROJECT_DOMAIN_NAME}")
+  ospurge --purge-project "${OS_TEST_PROJECT_ID}"
+  openstack quota set "${OS_TEST_PROJECT_ID}" --networks "${NETWORK_QUOTA}" --ports "${PORT_QUOTA}" --routers "${ROUTER_QUOTA}" --subnets "${SUBNET_QUOTA}" --secgroups "${SEC_GROUP_QUOTA}"
+fi
diff --git a/charts/neutron/templates/bin/_nginx.sh.tpl b/charts/neutron/templates/bin/_nginx.sh.tpl
new file mode 100644
index 0000000..53418a5
--- /dev/null
+++ b/charts/neutron/templates/bin/_nginx.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -xe
+
+COMMAND="${@:-start}"
+
+start () {
+  envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
+  cat /tmp/nginx.conf
+  nginx -t -c /tmp/nginx.conf
+  exec nginx -c /tmp/nginx.conf
+}
+
+stop () {
+  nginx -s stop
+}
+
+$COMMAND
diff --git a/charts/neutron/templates/certificates.yaml b/charts/neutron/templates/certificates.yaml
new file mode 100644
index 0000000..f65396d
--- /dev/null
+++ b/charts/neutron/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/neutron/templates/configmap-bin.yaml b/charts/neutron/templates/configmap-bin.yaml
new file mode 100644
index 0000000..2a6b9cf
--- /dev/null
+++ b/charts/neutron/templates/configmap-bin.yaml
@@ -0,0 +1,102 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: neutron-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  health-probe.py: |
+{{ tuple "bin/_health-probe.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-dhcp-agent.sh: |
+{{ tuple "bin/_neutron-dhcp-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-dhcp-agent-init.sh: |
+{{ tuple "bin/_neutron-dhcp-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-l3-agent.sh: |
+{{ tuple "bin/_neutron-l3-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-l3-agent-init.sh: |
+{{ tuple "bin/_neutron-l3-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-linuxbridge-agent.sh: |
+{{ tuple "bin/_neutron-linuxbridge-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-linuxbridge-agent-init.sh: |
+{{ tuple "bin/_neutron-linuxbridge-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-linuxbridge-agent-init-modules.sh: |
+{{ tuple "bin/_neutron-linuxbridge-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-metadata-agent.sh: |
+{{ tuple "bin/_neutron-metadata-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-metadata-agent-init.sh: |
+{{ tuple "bin/_neutron-metadata-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-openvswitch-agent.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-openvswitch-agent-init.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-openvswitch-agent-init-modules.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-openvswitch-agent-readiness.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent-readiness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-sriov-agent.sh: |
+{{ tuple "bin/_neutron-sriov-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-sriov-agent-init.sh: |
+{{ tuple "bin/_neutron-sriov-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-l2gw-agent.sh: |
+{{ tuple "bin/_neutron-l2gw-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-bagpipe-bgp.sh: |
+{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-bagpipe-bgp-init.sh: |
+{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.manifests.certificates }}
+  nginx.sh: |
+{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  neutron-server.sh: |
+{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-ironic-agent.sh: |
+{{ tuple "bin/_neutron-ironic-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  neutron-netns-cleanup-cron.py: |
+{{ tuple "bin/_neutron-netns-cleanup-cron.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+  neutron-test-force-cleanup.sh: |
+{{ tuple "bin/_neutron-test-force-cleanup.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+  tf-plugin.pth: |
+    /opt/plugin/site-packages
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/configmap-etc.yaml b/charts/neutron/templates/configmap-etc.yaml
new file mode 100644
index 0000000..36af849
--- /dev/null
+++ b/charts/neutron/templates/configmap-etc.yaml
@@ -0,0 +1,299 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- define "neutron.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.keystone_authtoken "auth_uri" -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.keystone_authtoken "auth_url" -}}
+{{- end }}
+
+{{- if empty .Values.conf.neutron.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.neutron.keystone_authtoken "project_name" .Values.endpoints.identity.auth.neutron.project_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.project_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "project_domain_name" $envAll.Values.endpoints.identity.auth.neutron.project_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.user_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "user_domain_name" $envAll.Values.endpoints.identity.auth.neutron.user_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.username -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "username" $envAll.Values.endpoints.identity.auth.neutron.username -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.password -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "password" $envAll.Values.endpoints.identity.auth.neutron.password -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.region_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "region_name" $envAll.Values.endpoints.identity.auth.neutron.region_name -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set $envAll.Values.conf.neutron.keystone_authtoken "memcached_servers" -}}
+{{- end }}
+{{- if empty .Values.conf.neutron.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.neutron.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.neutron.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.neutron.database "connection" $connection -}}
+{{- end -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "neutron" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set $envAll.Values.conf.neutron.DEFAULT "transport_url" -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.nova.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.nova "auth_url" -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.nova.region_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.project_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.project_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.user_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.username -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.password -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.octavia.base_url -}}
+{{- $_ := tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.octavia "base_url" -}}
+{{- end }}
+
+{{/*
+nova_metadata_ip can go away when Newton is no longer supported, otherwise
+just set it along with nova_metadata_host.
+*/}}
+{{- if empty $envAll.Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}}
+{{- $_ := tuple "compute_metadata" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set $envAll.Values.conf.metadata_agent.DEFAULT "nova_metadata_ip" -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.metadata_agent.DEFAULT.nova_metadata_host -}}
+{{- $_ := tuple "compute_metadata" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set $envAll.Values.conf.metadata_agent.DEFAULT "nova_metadata_host" -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.metadata_agent.DEFAULT.nova_metadata_port -}}
+{{- $_ := set $envAll.Values.conf.metadata_agent.DEFAULT "nova_metadata_port" 80 -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.metadata_agent.cache.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set $envAll.Values.conf.metadata_agent.cache "memcache_servers" -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.DEFAULT.interface_driver -}}
+{{- $_ := set $envAll.Values "__interface_driver" ( list ) }}
+{{- if ( has "openvswitch" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "openvswitch" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- if ( has "linuxbridge" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "linuxbridge" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.neutron.DEFAULT "interface_driver" $envAll.Values.__interface_driver -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.dhcp_agent.DEFAULT.interface_driver -}}
+{{- $_ := set $envAll.Values "__interface_driver" ( list ) }}
+{{- if ( has "openvswitch" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "openvswitch" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- if ( has "linuxbridge" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "linuxbridge" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.dhcp_agent.DEFAULT "interface_driver" $envAll.Values.__interface_driver -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.l3_agent.DEFAULT.interface_driver -}}
+{{- $_ := set $envAll.Values "__interface_driver" ( list ) }}
+{{- if ( has "openvswitch" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "openvswitch" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- if ( has "linuxbridge" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "linuxbridge" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.l3_agent.DEFAULT "interface_driver" $envAll.Values.__interface_driver -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.plugins.ml2_conf.ml2.mechanism_drivers -}}
+{{- if (contains "vxlan" $envAll.Values.conf.plugins.ml2_conf.ml2.tenant_network_types) -}}
+{{- $_ := set $envAll.Values "__mechanism_drivers" (append $envAll.Values.network.backend "l2population") -}}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.plugins.ml2_conf.ml2 "mechanism_drivers" ($envAll.Values.__mechanism_drivers | default $envAll.Values.network.backend | uniq) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.neutron.DEFAULT.bind_port -}}
+{{- $_ := tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.neutron.DEFAULT "bind_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+
+{{- if .Values.conf.ovs_dpdk.enabled -}}
+{{- $_ := set $envAll.Values.conf.plugins.openvswitch_agent.ovs "datapath_type" "netdev" -}}
+{{- if empty $envAll.Values.conf.plugins.openvswitch_agent.ovs.vhostuser_socket_dir -}}
+{{- $_ := set $envAll.Values.conf.plugins.openvswitch_agent.ovs "vhostuser_socket_dir" "/run/openvswitch/vhostuser" -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Designate DNS driver */}}
+{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}}
+{{- if empty .Values.conf.neutron.designate.project_name -}}
+{{- $_ := set .Values.conf.neutron.designate "project_name" .Values.endpoints.identity.auth.designate.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.project_domain_name -}}
+{{- $_ := set .Values.conf.neutron.designate "project_domain_name" .Values.endpoints.identity.auth.designate.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.user_domain_name -}}
+{{- $_ := set .Values.conf.neutron.designate "user_domain_name" .Values.endpoints.identity.auth.designate.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.username -}}
+{{- $_ := set .Values.conf.neutron.designate "username" .Values.endpoints.identity.auth.designate.username -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.password -}}
+{{- $_ := set .Values.conf.neutron.designate "password" .Values.endpoints.identity.auth.designate.password -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.url -}}
+{{- $_ := tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.neutron.designate "url" -}}
+{{- end -}}
+{{- end }}
+
+{{- if (has "baremetal" .Values.network.backend) -}}
+{{- if empty .Values.conf.neutron.ironic.project_name -}}
+{{- $_ := set .Values.conf.neutron.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.project_domain_name -}}
+{{- $_ := set .Values.conf.neutron.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.user_domain_name -}}
+{{- $_ := set .Values.conf.neutron.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.username -}}
+{{- $_ := set .Values.conf.neutron.ironic "username" .Values.endpoints.identity.auth.ironic.username -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.password -}}
+{{- $_ := set .Values.conf.neutron.ironic "password" .Values.endpoints.identity.auth.ironic.password -}}
+{{- end -}}
+{{- end -}}
+
+{{- if ( has "tungstenfabric" .Values.network.backend ) -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.plugins.tungstenfabric.KEYSTONE "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.admin_user -}}
+{{- $_ := set .Values.conf.plugins.tungstenfabric.KEYSTONE "admin_user" .Values.endpoints.identity.auth.admin.username -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.admin_password -}}
+{{- $_ := set .Values.conf.plugins.tungstenfabric.KEYSTONE "admin_password" .Values.endpoints.identity.auth.admin.password -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.admin_tenant_name -}}
+{{- $_ := set .Values.conf.plugins.tungstenfabric.KEYSTONE "admin_tenant_name" .Values.endpoints.identity.auth.admin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tf_vnc_api_lib.auth.AUTHN_SERVER -}}
+{{- $_ := tuple "identity" . | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" | set .Values.conf.plugins.tf_vnc_api_lib.auth "AUTHN_SERVER" -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tf_vnc_api_lib.auth.AUTHN_PORT -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.plugins.tf_vnc_api_lib.auth "AUTHN_PORT" -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tf_vnc_api_lib.auth.AUTHN_DOMAIN -}}
+{{- $_ := set .Values.conf.plugins.tf_vnc_api_lib.auth "AUTHN_DOMAIN" .Values.endpoints.identity.auth.neutron.project_domain_name -}}
+{{- end -}}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $configMapName }}
+type: Opaque
+data:
+  rally_tests.yaml: {{ toYaml $envAll.Values.conf.rally_tests.tests | b64enc }}
+  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" $envAll.Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml $envAll.Values.conf.policy | b64enc }}
+  neutron.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.neutron | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+  dhcp_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.dhcp_agent | b64enc }}
+  l3_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.l3_agent | b64enc }}
+  metadata_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metadata_agent | b64enc }}
+  metering_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metering_agent | b64enc) }}
+  taas_plugin.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.taas_plugin | b64enc) }}
+  ml2_conf.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.ml2_conf | b64enc }}
+  ml2_conf_sriov.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.ml2_conf_sriov | b64enc) }}
+  taas.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.taas | b64enc }}
+  l2gw_plugin.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.plugins.l2gateway | b64enc) }}
+  macvtap_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.macvtap_agent | b64enc) }}
+  linuxbridge_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.linuxbridge_agent | b64enc }}
+  openvswitch_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.openvswitch_agent | b64enc }}
+  sriov_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | b64enc }}
+  l2gw_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.l2gateway_agent | b64enc) }}
+  bagpipe_bgp.conf: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.bagpipe_bgp | b64enc) }}
+  tf_plugin.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.tungstenfabric | b64enc) }}
+  vnc_api_lib.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.tf_vnc_api_lib | b64enc) }}
+  dnsmasq.conf: "{{ $envAll.Values.conf.dnsmasq | b64enc }}"
+  neutron_sudoers: {{ $envAll.Values.conf.neutron_sudoers | b64enc }}
+  rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
+  auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
+  dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }}
+  update_dpdk_bond_config: {{ $envAll.Values.conf.ovs_dpdk.update_dpdk_bond_config | toString | b64enc }}
+{{-  if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-"  $key }}
+  {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "neutron-etc" . | include "neutron.configmap.etc" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-bagpipe-bgp.yaml b/charts/neutron/templates/daemonset-bagpipe-bgp.yaml
new file mode 100644
index 0000000..9e6393e
--- /dev/null
+++ b/charts/neutron/templates/daemonset-bagpipe-bgp.yaml
@@ -0,0 +1,181 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "bagpipeBgpLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "bagpipeBgpReadinessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "neutron.bagpipe_bgp.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_bagpipe_bgp := .Values.pod.mounts.bagpipe_bgp.bagpipe_bgp }}
+{{- $mounts_neutron_bagpipe_bgp_init := .Values.pod.mounts.bagpipe_bgp.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: bagpipe-bgp
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.bagpipe_bgp.node_selector_key }}: {{ .Values.labels.bagpipe_bgp.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_bagpipe_bgp_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-bagpipe-bgp-init
+{{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }}
+          securityContext:
+            privileged: true
+            runAsUser: 0
+          command:
+            - /tmp/neutron-bagpipe-bgp-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-bagpipe-bgp-init.sh
+              subPath: neutron-bagpipe-bgp-init.sh
+              readOnly: true
+            - name: run
+              mountPath: /run
+      containers:
+        - name: neutron-bagpipe-bgp
+{{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.bagpipe_bgp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" "container" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "bagpipe_bgp" "container" "bagpipe_bgp" "type" "liveness" "probeTemplate" (include "bagpipeBgpLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "bagpipe_bgp" "container" "bagpipe_bgp" "type" "readiness" "probeTemplate" (include "bagpipeBgpReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/neutron-bagpipe-bgp.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-bagpipe-bgp.sh
+              subPath: neutron-bagpipe-bgp.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /tmp/auto_bridge_add
+              subPath: auto_bridge_add
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/bagpipe-bgp/bgp.conf
+              subPath: bagpipe_bgp.conf
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "bagpipe_bgp" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: libmodules
+              mountPath: /lib/modules
+              readOnly: true
+            - name: run
+              mountPath: /run
+{{ if $mounts_neutron_bagpipe_bgp.volumeMounts }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: libmodules
+          hostPath:
+            path: /lib/modules
+        - name: run
+          hostPath:
+            path: /run
+{{ if $mounts_neutron_bagpipe_bgp.volumes }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_bagpipe_bgp }}
+{{- $envAll := . }}
+{{- $daemonset := "bagpipe-bgp" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-bagpipe-bgp" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "bagpipe_bgp" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.bagpipe_bgp.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-dhcp-agent.yaml b/charts/neutron/templates/daemonset-dhcp-agent.yaml
new file mode 100644
index 0000000..f2a5a85
--- /dev/null
+++ b/charts/neutron/templates/daemonset-dhcp-agent.yaml
@@ -0,0 +1,292 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "dhcpAgentReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/dhcp_agent.ini
+    - --agent-queue-name
+    - dhcp_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+{{- define "dhcpAgentLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/dhcp_agent.ini
+    - --agent-queue-name
+    - dhcp_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.dhcp_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_dhcp_agent := .Values.pod.mounts.neutron_dhcp_agent.neutron_dhcp_agent }}
+{{- $mounts_neutron_dhcp_agent_init := .Values.pod.mounts.neutron_dhcp_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-dhcp-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "dhcp-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "dhcp-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "dhcp_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "dhcp-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-dhcp-agent-default" "containerNames" (list "neutron-dhcp-agent" "neutron-dhcp-agent-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_dhcp_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-dhcp-agent-init
+{{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" "container" "neutron_dhcp_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-dhcp-agent-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-bin
+              mountPath: /tmp/neutron-dhcp-agent-init.sh
+              subPath: neutron-dhcp-agent-init.sh
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/dhcp_agent.ini
+              subPath: dhcp_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/metadata_agent.ini
+              subPath: metadata_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+              subPath: openvswitch_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /tmp/auto_bridge_add
+              subPath: auto_bridge_add
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "dhcp_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+      containers:
+        - name: neutron-dhcp-agent
+{{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" "container" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "dhcp_agent" "container" "dhcp_agent" "type" "readiness" "probeTemplate" (include "dhcpAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "dhcp_agent" "container" "dhcp_agent" "type" "liveness" "probeTemplate" (include "dhcpAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/neutron-dhcp-agent.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-dhcp-agent.sh
+              subPath: neutron-dhcp-agent.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            {{- if ( has "openvswitch" .Values.network.backend ) }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+              subPath: openvswitch_agent.ini
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/dhcp_agent.ini
+              subPath: dhcp_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/dnsmasq.conf
+              subPath: dnsmasq.conf
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/metadata_agent.ini
+              subPath: metadata_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "dhcp_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: iptables-lockfile
+              mountPath: /run/xtables.lock
+            - name: socket
+              mountPath: /var/lib/neutron/openstack-helm
+            {{- if .Values.network.share_namespaces }}
+            - name: host-run-netns
+              mountPath: /run/netns
+              mountPropagation: Bidirectional
+            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: iptables-lockfile
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        - name: socket
+          hostPath:
+            path: /var/lib/neutron/openstack-helm
+        - name: pod-shared
+          emptyDir: {}
+        {{- if .Values.network.share_namespaces }}
+        - name: host-run-netns
+          hostPath:
+            path: /run/netns
+        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_dhcp_agent.volumes }}{{ toYaml $mounts_neutron_dhcp_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_dhcp_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "dhcp-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-dhcp-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "dhcp" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.dhcp_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-l2gw-agent.yaml b/charts/neutron/templates/daemonset-l2gw-agent.yaml
new file mode 100644
index 0000000..2bb2fdc
--- /dev/null
+++ b/charts/neutron/templates/daemonset-l2gw-agent.yaml
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "l2gwAgentLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/l2gw_agent.ini
+    - --agent-queue-name
+    - l2gateway_agent
+    - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "l2gwAgentReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/l2gw_agent.ini
+    - --agent-queue-name
+    - l2gateway_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.l2gw_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_l2gw_agent := .Values.pod.mounts.neutron_l2gw_agent.neutron_l2gw_agent }}
+{{- $mounts_neutron_l2gw_agent_init := .Values.pod.mounts.neutron_l2gw_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-l2gw-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "l2gw-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "l2gw-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "l2gw_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "l2gw-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.agent.l2gw.node_selector_key }}: {{ .Values.labels.agent.l2gw.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_l2gw_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: neutron-l2gw-agent
+{{ tuple $envAll "neutron_l2gw" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.l2gw | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_l2gw_agent" "container" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "l2gw_agent" "container" "l2gw_agent" "type" "liveness" "probeTemplate" (include "l2gwAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "l2gw_agent" "container" "l2gw_agent" "type" "readiness" "probeTemplate" (include "l2gwAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/neutron-l2gw-agent.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-l2gw-agent.sh
+              subPath: neutron-l2gw-agent.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/l2gw_agent.ini
+              subPath: l2gw_agent.ini
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_l2gw_agent.volumeMounts }}{{ toYaml $mounts_neutron_l2gw_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_l2gw_agent.volumes }}{{ toYaml $mounts_neutron_l2gw_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_l2gw_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "l2gw-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-l2gw-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "l2gateway" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.l2gw_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-l3-agent.yaml b/charts/neutron/templates/daemonset-l3-agent.yaml
new file mode 100644
index 0000000..65cfe09
--- /dev/null
+++ b/charts/neutron/templates/daemonset-l3-agent.yaml
@@ -0,0 +1,295 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "l3AgentReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/l3_agent.ini
+    - --agent-queue-name
+    - l3_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+{{- define "l3AgentLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/l3_agent.ini
+    - --agent-queue-name
+    - l3_agent
+    - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.l3_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_l3_agent := .Values.pod.mounts.neutron_l3_agent.neutron_l3_agent }}
+{{- $mounts_neutron_l3_agent_init := .Values.pod.mounts.neutron_l3_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-l3-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "l3-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "l3-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "l3_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "l3-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-l3-agent-default" "containerNames" (list "neutron-l3-agent" "init"  "neutron-l3-agent-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_l3_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-l3-agent-init
+{{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_l3_agent" "container" "neutron_l3_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-l3-agent-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-l3-agent-init.sh
+              subPath: neutron-l3-agent-init.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-etc
+              mountPath: /etc/neutron/l3_agent.ini
+              subPath: l3_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/metadata_agent.ini
+              subPath: metadata_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+              subPath: openvswitch_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /tmp/auto_bridge_add
+              subPath: auto_bridge_add
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "l3_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+      containers:
+        - name: neutron-l3-agent
+{{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_l3_agent" "container" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "l3_agent" "container" "l3_agent" "type" "readiness" "probeTemplate" (include "l3AgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "l3_agent" "container" "l3_agent" "type" "liveness" "probeTemplate" (include "l3AgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/neutron-l3-agent.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-l3-agent.sh
+              subPath: neutron-l3-agent.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            {{- if ( has "openvswitch" .Values.network.backend ) }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+              subPath: openvswitch_agent.ini
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/l3_agent.ini
+              subPath: l3_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/metadata_agent.ini
+              subPath: metadata_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "l3_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: libmodules
+              mountPath: /lib/modules
+              readOnly: true
+            - name: iptables-lockfile
+              mountPath: /run/xtables.lock
+            - name: socket
+              mountPath: /var/lib/neutron/openstack-helm
+            {{- if .Values.network.share_namespaces }}
+            - name: host-run-netns
+              mountPath: /run/netns
+              mountPropagation: Bidirectional
+            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_l3_agent.volumeMounts }}{{ toYaml $mounts_neutron_l3_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: libmodules
+          hostPath:
+            path: /lib/modules
+        - name: iptables-lockfile
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        - name: pod-shared
+          emptyDir: {}
+        - name: socket
+          hostPath:
+            path: /var/lib/neutron/openstack-helm
+        {{- if .Values.network.share_namespaces }}
+        - name: host-run-netns
+          hostPath:
+            path: /run/netns
+        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_l3_agent.volumes }}{{ toYaml $mounts_neutron_l3_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_l3_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "l3-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-l3-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "l3" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.l3_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-lb-agent.yaml b/charts/neutron/templates/daemonset-lb-agent.yaml
new file mode 100644
index 0000000..7cb8637
--- /dev/null
+++ b/charts/neutron/templates/daemonset-lb-agent.yaml
@@ -0,0 +1,240 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "lbAgentReadinessProbeTemplate" }}
+exec:
+  command:
+    - bash
+    - -c
+    - 'brctl show'
+{{- end }}
+
+{{- define "neutron.lb_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_lb_agent := .Values.pod.mounts.neutron_lb_agent.neutron_lb_agent }}
+{{- $mounts_neutron_lb_agent_init := .Values.pod.mounts.neutron_lb_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-lb-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "neutron-lb-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "neutron-lb-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "lb_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "neutron-lb-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.lb.node_selector_key }}: {{ .Values.labels.lb.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-lb-agent-kernel-modules
+{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-linuxbridge-agent-init-modules.sh
+          volumeMounts:
+            - name: neutron-bin
+              mountPath: /tmp/neutron-linuxbridge-agent-init-modules.sh
+              subPath: neutron-linuxbridge-agent-init-modules.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              mountPropagation: HostToContainer
+              readOnly: true
+        - name: neutron-lb-agent-init
+{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-linuxbridge-agent-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-linuxbridge-agent-init.sh
+              subPath: neutron-linuxbridge-agent-init.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+              subPath: linuxbridge_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /tmp/auto_bridge_add
+              subPath: auto_bridge_add
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "lb_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: run
+              mountPath: /run
+{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
+      containers:
+        - name: neutron-lb-agent
+{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "lb_agent" "container" "lb_agent" "type" "readiness" "probeTemplate" (include "lbAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/neutron-linuxbridge-agent.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-linuxbridge-agent.sh
+              subPath: neutron-linuxbridge-agent.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+              subPath: linuxbridge_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "lb_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: run
+              mountPath: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: pod-shared
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: run
+          hostPath:
+            path: /run
+        - name: host-rootfs
+          hostPath:
+            path: /
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_lb_agent.volumes }}{{ toYaml $mounts_neutron_lb_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.daemonset_lb_agent ( has "linuxbridge" .Values.network.backend ) }}
+{{- $envAll := . }}
+{{- $daemonset := "lb-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-lb-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "lb_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.lb_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-metadata-agent.yaml b/charts/neutron/templates/daemonset-metadata-agent.yaml
new file mode 100644
index 0000000..edfa0a1
--- /dev/null
+++ b/charts/neutron/templates/daemonset-metadata-agent.yaml
@@ -0,0 +1,236 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadataAgentReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/metadata_agent.ini
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+{{- define "metadataAgentLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/metadata_agent.ini
+    - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.metadata_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_metadata_agent := .Values.pod.mounts.neutron_metadata_agent.neutron_metadata_agent }}
+{{- $mounts_neutron_metadata_agent_init := .Values.pod.mounts.neutron_metadata_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-metadata-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "metadata-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "metadata-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "metadata_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "metadata-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-metadata-agent-default" "containerNames" (list "neutron-metadata-agent" "neutron-metadata-agent-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_metadata_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_metadata_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-metadata-agent-init
+{{ tuple $envAll "neutron_metadata" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_metadata_agent" "container" "neutron_metadata_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: NEUTRON_USER_UID
+              value: "{{ .Values.pod.security_context.neutron_metadata_agent.pod.runAsUser }}"
+          command:
+            - /tmp/neutron-metadata-agent-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-metadata-agent-init.sh
+              subPath: neutron-metadata-agent-init.sh
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            - name: socket
+              mountPath: /var/lib/neutron/openstack-helm
+      containers:
+        - name: neutron-metadata-agent
+{{ tuple $envAll "neutron_metadata" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "metadata_agent" "container" "metadata_agent" "type" "readiness" "probeTemplate" (include "metadataAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "metadata_agent" "container" "metadata_agent" "type" "liveness" "probeTemplate" (include "metadataAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          securityContext:
+            privileged: true
+          command:
+            - /tmp/neutron-metadata-agent.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-metadata-agent.sh
+              subPath: neutron-metadata-agent.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            {{- if ( has "openvswitch" .Values.network.backend ) }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+              subPath: openvswitch_agent.ini
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/metadata_agent.ini
+              subPath: metadata_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "metadata_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: socket
+              mountPath: /var/lib/neutron/openstack-helm
+            {{- if .Values.network.share_namespaces }}
+            - name: host-run-netns
+              mountPath: /run/netns
+              mountPropagation: Bidirectional
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: socket
+          hostPath:
+            path: /var/lib/neutron/openstack-helm
+        {{- if .Values.network.share_namespaces }}
+        - name: host-run-netns
+          hostPath:
+            path: /run/netns
+        {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_metadata_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "metadata-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-metadata-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "metadata" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.metadata_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-netns-cleanup-cron.yaml b/charts/neutron/templates/daemonset-netns-cleanup-cron.yaml
new file mode 100644
index 0000000..c512d17
--- /dev/null
+++ b/charts/neutron/templates/daemonset-netns-cleanup-cron.yaml
@@ -0,0 +1,186 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "neutron.netns_cleanup_cron.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_netns_cleanup_cron := .Values.pod.mounts.neutron_netns_cleanup_cron.neutron_netns_cleanup_cron }}
+{{- $mounts_neutron_netns_cleanup_cron_init := .Values.pod.mounts.neutron_netns_cleanup_cron.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-netns-cleanup-cron
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-netns-cleanup-cron-default" "containerNames" (list "neutron-netns-cleanup-cron" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.netns_cleanup_cron.node_selector_key }}: {{ .Values.labels.netns_cleanup_cron.node_selector_value }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_netns_cleanup_cron_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: neutron-netns-cleanup-cron
+{{ tuple $envAll "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.netns_cleanup_cron | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" "container" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - python
+            - /tmp/neutron-netns-cleanup-cron.py
+            - --config-file
+            -  /etc/neutron/neutron.conf
+            - --config-file
+            - /etc/neutron/dhcp_agent.ini
+            - --config-file
+            - /etc/neutron/l3_agent.ini
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" false }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-netns-cleanup-cron.py
+              subPath: neutron-netns-cleanup-cron.py
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/dhcp_agent.ini
+              subPath: dhcp_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/l3_agent.ini
+              subPath: l3_agent.ini
+              readOnly: true
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "netns_cleanup_cron" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: libmodules
+              mountPath: /lib/modules
+              readOnly: true
+            - name: iptables-lockfile
+              mountPath: /run/xtables.lock
+            - name: socket
+              mountPath: /var/lib/neutron/openstack-helm
+            {{- if .Values.network.share_namespaces }}
+            - name: host-run-netns
+              mountPath: /run/netns
+              mountPropagation: Bidirectional
+            {{- end }}
+{{ if $mounts_neutron_netns_cleanup_cron.volumeMounts }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: libmodules
+          hostPath:
+            path: /lib/modules
+        - name: iptables-lockfile
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        - name: socket
+          hostPath:
+            path: /var/lib/neutron/openstack-helm
+        {{- if .Values.network.share_namespaces }}
+        - name: host-run-netns
+          hostPath:
+            path: /run/netns
+        {{- end }}
+#{{ if $mounts_neutron_netns_cleanup_cron.volumes }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_netns_cleanup_cron}}
+{{- $envAll := . }}
+{{- $daemonset := "netns-cleanup-cron" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-netns-cleanup-cron" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "netns_cleanup_cron" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.netns_cleanup_cron.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
+
diff --git a/charts/neutron/templates/daemonset-ovs-agent.yaml b/charts/neutron/templates/daemonset-ovs-agent.yaml
new file mode 100644
index 0000000..59e33f0
--- /dev/null
+++ b/charts/neutron/templates/daemonset-ovs-agent.yaml
@@ -0,0 +1,315 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ovsAgentReadinessProbeTemplate" }}
+exec:
+  command:
+    - /tmp/neutron-openvswitch-agent-readiness.sh
+{{- end }}
+{{- define "ovsAgentLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/plugins/ml2/openvswitch_agent.ini
+    - --agent-queue-name
+    - q-agent-notifier-tunnel-update
+    - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.ovs_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_ovs_agent := .Values.pod.mounts.neutron_ovs_agent.neutron_ovs_agent }}
+{{- $mounts_neutron_ovs_agent_init := .Values.pod.mounts.neutron_ovs_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-ovs-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "neutron-ovs-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "neutron-ovs-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "ovs_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "neutron-ovs-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "$configMapName" "containerNames" (list "neutron-ovs-agent" "init" "neutron-openvswitch-agent-kernel-modules" "neutron-ovs-agent-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      nodeSelector:
+        {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_ovs_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-openvswitch-agent-kernel-modules
+{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_openvswitch_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-openvswitch-agent-init-modules.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-openvswitch-agent-init-modules.sh
+              subPath: neutron-openvswitch-agent-init-modules.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              mountPropagation: HostToContainer
+              readOnly: true
+{{- if .Values.conf.ovs_dpdk.enabled }}
+            - name: pci-devices
+              mountPath: /sys/bus/pci/devices
+{{- end }}
+        - name: neutron-ovs-agent-init
+{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_ovs_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          {{- if .Values.conf.ovs_dpdk.enabled }}
+          env:
+            - name: UPDATE_DPDK_BOND_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $configMapName }}
+                  key: update_dpdk_bond_config
+          {{- end }}
+          command:
+            - /tmp/neutron-openvswitch-agent-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-openvswitch-agent-init.sh
+              subPath: neutron-openvswitch-agent-init.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+              subPath: openvswitch_agent.ini
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            {{- if .Values.conf.plugins.taas.taas.enabled }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/taas.ini
+              subPath: taas.ini
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /tmp/auto_bridge_add
+              subPath: auto_bridge_add
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- if .Values.conf.ovs_dpdk.enabled }}
+            - name: neutron-etc
+              mountPath: /tmp/dpdk.conf
+              subPath: dpdk.conf
+              readOnly: true
+            {{- end }}
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "ovs_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: run
+              mountPath: /run
+{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
+      containers:
+        - name: neutron-ovs-agent
+{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "ovs_agent" "container" "ovs_agent" "type" "readiness" "probeTemplate" (include "ovsAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs_agent" "container" "ovs_agent" "type" "liveness" "probeTemplate" (include "ovsAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_ovs_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-openvswitch-agent.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-openvswitch-agent.sh
+              subPath: neutron-openvswitch-agent.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/neutron-openvswitch-agent-readiness.sh
+              subPath: neutron-openvswitch-agent-readiness.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+              subPath: openvswitch_agent.ini
+              readOnly: true
+            {{- if .Values.conf.plugins.taas.taas.enabled }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/taas.ini
+              subPath: taas.ini
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "ovs_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: run
+              mountPath: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: varlibopenvswitch
+          emptyDir: {}
+        - name: pod-shared
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: run
+          hostPath:
+            path: /run
+        - name: host-rootfs
+          hostPath:
+            path: /
+{{- if .Values.conf.ovs_dpdk.enabled }}
+        - name: pci-devices
+          hostPath:
+            path: /sys/bus/pci/devices
+            type: Directory
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_ovs_agent.volumes }}{{ toYaml $mounts_neutron_ovs_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.daemonset_ovs_agent ( has "openvswitch" .Values.network.backend ) }}
+{{- $envAll := . }}
+{{- $daemonset := "ovs-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-ovs-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "ovs_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.ovs_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-sriov-agent.yaml b/charts/neutron/templates/daemonset-sriov-agent.yaml
new file mode 100644
index 0000000..4bf0021
--- /dev/null
+++ b/charts/neutron/templates/daemonset-sriov-agent.yaml
@@ -0,0 +1,257 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "sriovAgentReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/neutron/neutron.conf
+    - --config-file
+    - /etc/neutron/sriov_agent.ini
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+    - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.sriov_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_sriov_agent := .Values.pod.mounts.neutron_sriov_agent.neutron_sriov_agent }}
+{{- $mounts_neutron_sriov_agent_init := .Values.pod.mounts.neutron_sriov_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-sriov-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "neutron-sriov-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "neutron-sriov-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "sriov_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "neutron-sriov-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-sriov-agent-default" "containerNames" (list "neutron-sriov-agent-init" "init" "neutron-sriov-agent") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      nodeSelector:
+        {{ .Values.labels.sriov.node_selector_key }}: {{ .Values.labels.sriov.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+      shareProcessNamespace: true
+      {{- else }}
+      hostPID: true
+      {{- end }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_sriov_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: neutron-sriov-agent-init
+{{ tuple $envAll "neutron_sriov_agent_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_sriov_agent" "container" "neutron_sriov_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-sriov-agent-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/neutron-sriov-agent-init.sh
+              subPath: neutron-sriov-agent-init.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/sriov_agent.ini
+              subPath: sriov_agent.ini
+              readOnly: true
+            {{- if .Values.conf.plugins.taas.taas.enabled }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/taas.ini
+              subPath: taas.ini
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "sriov_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: run
+              mountPath: /run
+{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
+      containers:
+        - name: neutron-sriov-agent
+{{ tuple $envAll "neutron_sriov_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_sriov_agent" "container" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "sriov_agent" "container" "sriov_agent" "type" "readiness" "probeTemplate" (include "sriovAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/neutron-sriov-agent.sh
+          volumeMounts:
+            - mountPath: /sys/class/net
+              name: host-sys-class-net
+            - mountPath: /sys/devices
+              name: host-sys-devices
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-sriov-agent.sh
+              subPath: neutron-sriov-agent.sh
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/sriov_agent.ini
+              subPath: sriov_agent.ini
+              readOnly: true
+            {{- if .Values.conf.plugins.taas.taas.enabled }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/taas.ini
+              subPath: taas.ini
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+              subPath: neutron_sudoers
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "sriov_agent" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+            - name: neutron-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: run
+              mountPath: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: host-sys-class-net
+          hostPath:
+            path: /sys/class/net
+        - name: host-sys-devices
+          hostPath:
+            path: /sys/devices
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: pod-shared
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: run
+          hostPath:
+            path: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_sriov_agent.volumes }}{{ toYaml $mounts_neutron_sriov_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.daemonset_sriov_agent ( has "sriov" .Values.network.backend ) }}
+{{- $envAll := . }}
+{{- $daemonset := "sriov-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-sriov-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "sriov_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.sriov_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/deployment-ironic-agent.yaml b/charts/neutron/templates/deployment-ironic-agent.yaml
new file mode 100644
index 0000000..431225f
--- /dev/null
+++ b/charts/neutron/templates/deployment-ironic-agent.yaml
@@ -0,0 +1,116 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_ironic_agent }}
+{{- $envAll := . }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "ironic_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{- $mounts_neutron_ironic_agent := .Values.pod.mounts.neutron_ironic_agent.neutron_ironic_agent }}
+{{- $mounts_neutron_ironic_agent_init := .Values.pod.mounts.neutron_ironic_agent.init_container }}
+
+{{- $serviceAccountName := "neutron-ironic-agent" }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: neutron-ironic-agent
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "ironic-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.ironic_agent }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "ironic-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "ironic-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_ironic_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "neutron" "ironic_agent" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.ironic_agent.node_selector_key }}: {{ .Values.labels.ironic_agent.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 8 }}
+{{ end }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.ironic_agent.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_ironic_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: neutron-ironic-agent
+{{ tuple $envAll "neutron_ironic_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ironic_agent | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ironic_agent" "container" "neutron_ironic_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/neutron-ironic-agent.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/neutron-ironic-agent.sh
+                  - stop
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-ironic-agent.sh
+              subPath: neutron-ironic-agent.sh
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_ironic_agent.volumeMounts }}{{ toYaml $mounts_neutron_ironic_agent.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: neutron-etc
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_ironic_agent.volumes }}{{ toYaml $mounts_neutron_ironic_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/neutron/templates/deployment-server.yaml b/charts/neutron/templates/deployment-server.yaml
new file mode 100644
index 0000000..2e39a40
--- /dev/null
+++ b/charts/neutron/templates/deployment-server.yaml
@@ -0,0 +1,283 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "serverReadinessProbeTemplate" }}
+{{- if .Values.manifests.certificates }}
+exec:
+  command:
+    - python
+    - -c
+    - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+initialDelaySeconds: 30
+{{- else }}
+httpGet:
+  scheme: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  path: /
+  port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+{{- end }}
+{{- define "serverLivenessProbeTemplate" }}
+{{- if .Values.manifests.certificates }}
+exec:
+  command:
+    - python
+    - -c
+    - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+initialDelaySeconds: 30
+{{- else }}
+httpGet:
+  scheme: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  path: /
+  port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_server }}
+{{- $envAll := . }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "server" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{- $mounts_neutron_server := .Values.pod.mounts.neutron_server.neutron_server }}
+{{- $mounts_neutron_server_init := .Values.pod.mounts.neutron_server.init_container }}
+
+{{- $serviceAccountName := "neutron-server" }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: neutron-server
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.server }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-server" "containerNames" (list "neutron-server" "init" "nginx") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "neutron_server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_server_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+        - name: tungstenfabric-neutron-init
+          image: {{ .Values.images.tags.tf_neutron_init }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.security_context.neutron_server.pod.runAsUser }}
+          env:
+            - name: OPENSTACK_VERSION
+              value: "{{ .Values.conf.openstack_version }}"
+          volumeMounts:
+            - name: neutron-plugin-shared
+              mountPath: /opt/plugin
+        {{- end }}
+      containers:
+        {{- if $envAll.Values.manifests.certificates }}
+        - name: nginx
+{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_server" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          ports:
+            - name: q-api
+              containerPort: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          env:
+            - name: PORT
+              value: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: SHORTNAME
+              value: {{ tuple "network" "internal" .  | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /
+              port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          command:
+            - /tmp/nginx.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/nginx.sh
+                  - stop
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: neutron-bin
+              mountPath: /tmp/nginx.sh
+              subPath: nginx.sh
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+        {{- end }}
+        - name: neutron-server
+{{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_server" "container" "neutron_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "readiness" "probeTemplate" (include "serverReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "liveness" "probeTemplate" (include "serverLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/neutron-server.sh
+            - start
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/neutron/certs/ca.crt"
+{{- end }}
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/neutron-server.sh
+                  - stop
+          ports:
+            - name: q-api
+              containerPort: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+            - name: neutron-bin
+              mountPath: /tmp/neutron-server.sh
+              subPath: neutron-server.sh
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+            - name: neutron-etc
+              mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            {{- if( has "tungstenfabric" .Values.network.backend ) }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/tungstenfabric/tf_plugin.ini
+              subPath: tf_plugin.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/contrail/vnc_api_lib.ini
+              subPath: vnc_api_lib.ini
+              readOnly: true
+            - name: neutron-plugin-shared
+              mountPath: /opt/plugin
+            - name: neutron-bin
+              mountPath: /usr/local/lib/python2.7/site-packages/tf-plugin.pth
+              subPath: tf-plugin.pth
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /var/lib/openstack/lib/python2.7/site-packages/tf-plugin.pth
+              subPath: tf-plugin.pth
+              readOnly: true
+            - name: neutron-bin
+              mountPath: /var/lib/openstack/lib/python3.6/site-packages/tf-plugin.pth
+              subPath: tf-plugin.pth
+              readOnly: true
+            {{- else }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+              subPath: ml2_conf.ini
+              readOnly: true
+            {{- end }}
+            {{ if ( has "sriov" .Values.network.backend ) }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/plugins/ml2/sriov_agent.ini
+              subPath: sriov_agent.ini
+              readOnly: true
+            {{ end }}
+            {{- if .Values.conf.plugins.taas.taas.enabled }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/taas_plugin.ini
+              subPath: taas_plugin.ini
+              readOnly: true
+            {{ end }}
+            {{- if .Values.conf.plugins.l2gateway }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/l2gw_plugin.ini
+              subPath: l2gw_plugin.ini
+              readOnly: true
+            {{ end }}
+            - name: neutron-etc
+              mountPath: /etc/neutron/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        {{- if .Values.manifests.certificates }}
+        - name: wsgi-neutron
+          emptyDir: {}
+        {{- end }}
+        - name: pod-var-neutron
+          emptyDir: {}
+        - name: neutron-bin
+          configMap:
+            name: neutron-bin
+            defaultMode: 0555
+        - name: neutron-etc
+          secret:
+            secretName: neutron-etc
+            defaultMode: 0444
+        {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+        - name: neutron-plugin-shared
+          emptyDir: {}
+        {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/neutron/templates/ingress-server.yaml b/charts/neutron/templates/ingress-server.yaml
new file mode 100644
index 0000000..6e6eb73
--- /dev/null
+++ b/charts/neutron/templates/ingress-server.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-bootstrap.yaml b/charts/neutron/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..ff9dbe8
--- /dev/null
+++ b/charts/neutron/templates/job-bootstrap.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append  -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-db-drop.yaml b/charts/neutron/templates/job-db-drop.yaml
new file mode 100644
index 0000000..67d4174
--- /dev/null
+++ b/charts/neutron/templates/job-db-drop.yaml
@@ -0,0 +1,25 @@
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-db-init.yaml b/charts/neutron/templates/job-db-init.yaml
new file mode 100644
index 0000000..184ec97
--- /dev/null
+++ b/charts/neutron/templates/job-db-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-db-sync.yaml b/charts/neutron/templates/job-db-sync.yaml
new file mode 100644
index 0000000..1d22407
--- /dev/null
+++ b/charts/neutron/templates/job-db-sync.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "neutron" "podVolMounts" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumeMounts "podVols" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-image-repo-sync.yaml b/charts/neutron/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..890c57e
--- /dev/null
+++ b/charts/neutron/templates/job-image-repo-sync.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-ks-endpoints.yaml b/charts/neutron/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..ec76b71
--- /dev/null
+++ b/charts/neutron/templates/job-ks-endpoints.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksEndpointsJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksEndpointsJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $ksEndpointsJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksEndpointsJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-ks-service.yaml b/charts/neutron/templates/job-ks-service.yaml
new file mode 100644
index 0000000..e4225c6
--- /dev/null
+++ b/charts/neutron/templates/job-ks-service.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-ks-user.yaml b/charts/neutron/templates/job-ks-user.yaml
new file mode 100644
index 0000000..563ba7b
--- /dev/null
+++ b/charts/neutron/templates/job-ks-user.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-rabbit-init.yaml b/charts/neutron/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..0d08170
--- /dev/null
+++ b/charts/neutron/templates/job-rabbit-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/neutron/templates/network_policy.yaml b/charts/neutron/templates/network_policy.yaml
new file mode 100644
index 0000000..9eb4620
--- /dev/null
+++ b/charts/neutron/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "neutron" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/neutron/templates/pdb-server.yaml b/charts/neutron/templates/pdb-server.yaml
new file mode 100644
index 0000000..80f4c4d
--- /dev/null
+++ b/charts/neutron/templates/pdb-server.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_server }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: neutron-server
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.server.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/neutron/templates/pod-rally-test.yaml b/charts/neutron/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..5ef57fa
--- /dev/null
+++ b/charts/neutron/templates/pod-rally-test.yaml
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.neutron_tests.neutron_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.neutron_tests.init_container }}
+
+{{- $serviceAccountName := print .deployment_name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ print .deployment_name "-test" }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "neutron" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ dict "envAll" $envAll "podName" "neutron-test" "containerNames" (list "init" "neutron-test" "neutron-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+  restartPolicy: Never
+  serviceAccountName: {{ $serviceAccountName }}
+  initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+    - name: neutron-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      command:
+        - /tmp/ks-user.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: neutron-bin
+          mountPath: /tmp/ks-user.sh
+          subPath: ks-user.sh
+          readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_SERVICE_NAME
+          value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_ROLE
+          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+{{ if $envAll.Values.conf.rally_tests.force_project_purge }}
+    - name: {{ .deployment_name }}-reset
+{{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: OS_TEST_PROJECT_NAME
+          value: {{ .Values.endpoints.identity.auth.test.project_name }}
+        - name: OS_TEST_PROJECT_DOMAIN_NAME
+          value: {{ .Values.endpoints.identity.auth.test.domain_name }}
+        - name: NETWORK_QUOTA
+          value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_networks")).context.quotas.neutron.network | quote }}
+        - name: PORT_QUOTA
+          value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_ports")).context.quotas.neutron.port | quote }}
+        - name: ROUTER_QUOTA
+          value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_routers")).context.quotas.neutron.router | quote }}
+        - name: SUBNET_QUOTA
+          value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_subnets")).context.quotas.neutron.subnet | quote }}
+        - name: SEC_GROUP_QUOTA
+          value: {{ (first (index .Values.conf.rally_tests.tests "NeutronSecurityGroup.create_and_list_security_groups")).context.quotas.neutron.security_group | quote }}
+      command:
+        - /tmp/neutron-test-force-cleanup.sh
+      volumeMounts:
+        - name: neutron-bin
+          mountPath: /tmp/neutron-test-force-cleanup.sh
+          subPath: neutron-test-force-cleanup.sh
+          readOnly: true
+        - name: pod-tmp
+          mountPath: /tmp/pod-tmp
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ end }}
+  containers:
+    - name: neutron-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: RALLY_ENV_NAME
+          value: {{.Release.Name}}
+      command:
+        - /tmp/rally-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: neutron-etc
+          mountPath: /etc/rally/rally_tests.yaml
+          subPath: rally_tests.yaml
+          readOnly: true
+        - name: neutron-bin
+          mountPath: /tmp/rally-test.sh
+          subPath: rally-test.sh
+          readOnly: true
+        - name: rally-db
+          mountPath: /var/lib/rally
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: neutron-etc
+      secret:
+        secretName: neutron-etc
+        defaultMode: 0444
+    - name: neutron-bin
+      configMap:
+        name: neutron-bin
+        defaultMode: 0555
+    - name: rally-db
+      emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume"  | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-db.yaml b/charts/neutron/templates/secret-db.yaml
new file mode 100644
index 0000000..47d956f
--- /dev/null
+++ b/charts/neutron/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "neutron" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-ingress-tls.yaml b/charts/neutron/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..0185c6a
--- /dev/null
+++ b/charts/neutron/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "server" "backendServiceType" "network" ) }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-keystone.yaml b/charts/neutron/templates/secret-keystone.yaml
new file mode 100644
index 0000000..3ce6865
--- /dev/null
+++ b/charts/neutron/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "neutron" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-registry.yaml b/charts/neutron/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/neutron/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/neutron/templates/secret_rabbitmq.yaml b/charts/neutron/templates/secret_rabbitmq.yaml
new file mode 100644
index 0000000..16c70e4
--- /dev/null
+++ b/charts/neutron/templates/secret_rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "neutron" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/service-ingress-neutron.yaml b/charts/neutron/templates/service-ingress-neutron.yaml
new file mode 100644
index 0000000..86a53d9
--- /dev/null
+++ b/charts/neutron/templates/service-ingress-neutron.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_server .Values.network.server.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "network" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/neutron/templates/service-server.yaml b/charts/neutron/templates/service-server.yaml
new file mode 100644
index 0000000..8fcee66
--- /dev/null
+++ b/charts/neutron/templates/service-server.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_server }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "network" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: q-api
+      port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.server.node_port.enabled }}
+      nodePort: {{ .Values.network.server.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.server.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.server.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/neutron/values.yaml b/charts/neutron/values.yaml
new file mode 100644
index 0000000..0fb2645
--- /dev/null
+++ b/charts/neutron/values.yaml
@@ -0,0 +1,2396 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for neutron.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+images:
+  tags:
+    bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    purge_test: docker.io/openstackhelm/ospurge:latest
+    db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    neutron_db_sync: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_l2gw: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_openvswitch_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
+    neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
+    neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+labels:
+  agent:
+    dhcp:
+      node_selector_key: openstack-control-plane
+      node_selector_value: enabled
+    l3:
+      node_selector_key: openstack-control-plane
+      node_selector_value: enabled
+    metadata:
+      node_selector_key: openstack-control-plane
+      node_selector_value: enabled
+    l2gw:
+      node_selector_key: openstack-control-plane
+      node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  lb:
+    node_selector_key: linuxbridge
+    node_selector_value: enabled
+  # openvswitch is a special case, requiring a special
+  # label that can apply to both control hosts
+  # and compute hosts, until we get more sophisticated
+  # with our daemonset scheduling
+  ovs:
+    node_selector_key: openvswitch
+    node_selector_value: enabled
+  sriov:
+    node_selector_key: sriov
+    node_selector_value: enabled
+  bagpipe_bgp:
+    node_selector_key: openstack-compute-node
+    node_selector_value: enabled
+  server:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  ironic_agent:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  netns_cleanup_cron:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+network:
+  # provide what type of network wiring will be used
+  backend:
+    - openvswitch
+  # NOTE(Portdirect): Share network namespaces with the host,
+  # allowing agents to be restarted without packet loss and simpler
+  # debugging. This feature requires mount propagation support.
+  share_namespaces: true
+  interface:
+    # Tunnel interface will be used for VXLAN tunneling.
+    tunnel: null
+    # If tunnel is null there is a fallback mechanism to search
+    # for interface with routing using tunnel network cidr.
+    tunnel_network_cidr: "0/0"
+  # To perform setup of network interfaces using the SR-IOV init
+  # container you can use a section similar to:
+  # sriov:
+  #   - device: ${DEV}
+  #     num_vfs: 8
+  #     mtu: 9214
+  #     promisc: false
+  #     qos:
+  #       - vf_num: 0
+  #         share: 10
+  #     queues_per_vf:
+  #       - num_queues: 16
+  #         exclude_vf: 0,11,21
+  server:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30096
+
+bootstrap:
+  enabled: false
+  ks_user: neutron
+  script: |
+    openstack token issue
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - neutron-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+    targeted:
+      sriov: {}
+      l2gateway: {}
+      bagpipe_bgp: {}
+      openvswitch:
+        dhcp:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-ovs-agent
+        l3:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-ovs-agent
+        metadata:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-ovs-agent
+      linuxbridge:
+        dhcp:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-lb-agent
+        l3:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-lb-agent
+        metadata:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-lb-agent
+        lb_agent:
+          pod: null
+  static:
+    bootstrap:
+      services:
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: compute
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - neutron-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    dhcp:
+      pod: null
+      jobs:
+        - neutron-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: compute
+    ks_endpoints:
+      jobs:
+        - neutron-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - service: oslo_messaging
+          endpoint: internal
+    l3:
+      pod: null
+      jobs:
+        - neutron-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: compute
+    lb_agent:
+      pod: null
+      jobs:
+        - neutron-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: network
+    metadata:
+      pod: null
+      jobs:
+        - neutron-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: compute
+        - endpoint: public
+          service: compute_metadata
+    ovs_agent:
+      jobs:
+        - neutron-rabbit-init
+      pod:
+        - requireSameNode: true
+          labels:
+            application: openvswitch
+            component: server
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: network
+    server:
+      jobs:
+        - neutron-db-sync
+        - neutron-ks-user
+        - neutron-ks-endpoints
+        - neutron-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: identity
+    ironic_agent:
+      jobs:
+        - neutron-db-sync
+        - neutron-ks-user
+        - neutron-ks-endpoints
+        - neutron-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: identity
+    tests:
+      services:
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: compute
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+pod:
+  use_fqdn:
+    neutron_agent: true
+  probes:
+    rpc_timeout: 60
+    rpc_retries: 2
+    dhcp_agent:
+      dhcp_agent:
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 190
+            timeoutSeconds: 185
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 600
+            timeoutSeconds: 580
+    l3_agent:
+      l3_agent:
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 190
+            timeoutSeconds: 185
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 600
+            timeoutSeconds: 580
+    lb_agent:
+      lb_agent:
+        readiness:
+          enabled: true
+    metadata_agent:
+      metadata_agent:
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 190
+            timeoutSeconds: 185
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 600
+            timeoutSeconds: 580
+    ovs_agent:
+      ovs_agent:
+        readiness:
+          enabled: true
+          params:
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 600
+            timeoutSeconds: 580
+    sriov_agent:
+      sriov_agent:
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 190
+            timeoutSeconds: 185
+    bagpipe_bgp:
+      bagpipe_bgp:
+        readiness:
+          enabled: true
+          params:
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 60
+    l2gw_agent:
+      l2gw_agent:
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 15
+            timeoutSeconds: 65
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 90
+            timeoutSeconds: 70
+    server:
+      server:
+        readiness:
+          enabled: true
+          params:
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 60
+  security_context:
+    neutron_dhcp_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_dhcp_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+    neutron_l2gw_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_l2gw_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+    neutron_bagpipe_bgp:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_bagpipe_bgp:
+          readOnlyRootFilesystem: true
+          privileged: true
+    neutron_l3_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_l3_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+    neutron_lb_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_lb_agent_kernel_modules:
+          capabilities:
+            add:
+              - SYS_MODULE
+              - SYS_CHROOT
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_lb_agent_init:
+          privileged: true
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_lb_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+    neutron_metadata_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_metadata_agent_init:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+    neutron_ovs_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_openvswitch_agent_kernel_modules:
+          capabilities:
+            add:
+              - SYS_MODULE
+              - SYS_CHROOT
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_ovs_agent_init:
+          privileged: true
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_ovs_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+    neutron_server:
+      pod:
+        runAsUser: 42424
+      container:
+        nginx:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+        neutron_server:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    neutron_sriov_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_sriov_agent_init:
+          privileged: true
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+        neutron_sriov_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+    neutron_ironic_agent:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_ironic_agent:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    neutron_netns_cleanup_cron:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_netns_cleanup_cron:
+          readOnlyRootFilesystem: true
+          privileged: true
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  tolerations:
+    neutron:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+  mounts:
+    neutron_server:
+      init_container: null
+      neutron_server:
+        volumeMounts:
+        volumes:
+    neutron_dhcp_agent:
+      init_container: null
+      neutron_dhcp_agent:
+        volumeMounts:
+        volumes:
+    neutron_l3_agent:
+      init_container: null
+      neutron_l3_agent:
+        volumeMounts:
+        volumes:
+    neutron_lb_agent:
+      init_container: null
+      neutron_lb_agent:
+        volumeMounts:
+        volumes:
+    neutron_metadata_agent:
+      init_container: null
+      neutron_metadata_agent:
+        volumeMounts:
+        volumes:
+    neutron_ovs_agent:
+      init_container: null
+      neutron_ovs_agent:
+        volumeMounts:
+        volumes:
+    neutron_sriov_agent:
+      init_container: null
+      neutron_sriov_agent:
+        volumeMounts:
+        volumes:
+    neutron_l2gw_agent:
+      init_container: null
+      neutron_l2gw_agent:
+        volumeMounts:
+        volumes:
+    bagpipe_bgp:
+      init_container: null
+      bagpipe_bgp:
+        volumeMounts:
+        volumes:
+    neutron_ironic_agent:
+      init_container: null
+      neutron_ironic_agent:
+        volumeMounts:
+        volumes:
+    neutron_netns_cleanup_cron:
+      init_container: null
+      neutron_netns_cleanup_cron:
+        volumeMounts:
+        volumes:
+    neutron_tests:
+      init_container: null
+      neutron_tests:
+        volumeMounts:
+        volumes:
+    neutron_bootstrap:
+      init_container: null
+      neutron_bootstrap:
+        volumeMounts:
+        volumes:
+    neutron_db_sync:
+      neutron_db_sync:
+        volumeMounts:
+          - name: db-sync-conf
+            mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+            subPath: ml2_conf.ini
+            readOnly: true
+        volumes:
+  replicas:
+    server: 1
+    ironic_agent: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        dhcp_agent:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+        l3_agent:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+        lb_agent:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+        metadata_agent:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+        ovs_agent:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+        sriov_agent:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+        netns_cleanup_cron:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+    disruption_budget:
+      server:
+        min_available: 0
+    termination_grace_period:
+      server:
+        timeout: 30
+      ironic_agent:
+        timeout: 30
+  resources:
+    enabled: false
+    agent:
+      dhcp:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      l3:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      lb:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      metadata:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ovs:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      sriov:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      l2gw:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      bagpipe_bgp:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+    server:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    ironic_agent:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    netns_cleanup_cron:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+conf:
+  rally_tests:
+    force_project_purge: false
+    run_tempest: false
+    clean_up: |
+      # NOTE: We will make the best effort to clean up rally generated networks and routers,
+      # but should not block further automated deployment.
+      set +e
+      PATTERN="^[sc]_rally_"
+
+      ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
+      NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
+
+      for ROUTER in $ROUTERS
+      do
+        openstack router unset --external-gateway $ROUTER
+        openstack router set --disable --no-ha $ROUTER
+
+        SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
+        for SUBN in $SUBNS
+        do
+          openstack router remove subnet $ROUTER $SUBN
+        done
+
+        for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
+        do
+          openstack router remove port $ROUTER $PORT
+        done
+
+        openstack router delete $ROUTER
+      done
+
+      for NETWORK in $NETWORKS
+      do
+        for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
+        do
+          openstack port delete $PORT
+        done
+        openstack network delete $NETWORK
+      done
+      set -e
+    tests:
+      NeutronNetworks.create_and_delete_networks:
+        - args:
+            network_create_args: {}
+          context:
+            quotas:
+              neutron:
+                network: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_delete_ports:
+        - args:
+            network_create_args: {}
+            port_create_args: {}
+            ports_per_network: 10
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                port: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_delete_routers:
+        - args:
+            network_create_args: {}
+            router_create_args: {}
+            subnet_cidr_start: 1.1.0.0/30
+            subnet_create_args: {}
+            subnets_per_network: 2
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                router: -1
+                subnet: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_delete_subnets:
+        - args:
+            network_create_args: {}
+            subnet_cidr_start: 1.1.0.0/30
+            subnet_create_args: {}
+            subnets_per_network: 2
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                subnet: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_list_routers:
+        - args:
+            network_create_args: {}
+            router_create_args: {}
+            subnet_cidr_start: 1.1.0.0/30
+            subnet_create_args: {}
+            subnets_per_network: 2
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                router: -1
+                subnet: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_list_subnets:
+        - args:
+            network_create_args: {}
+            subnet_cidr_start: 1.1.0.0/30
+            subnet_create_args: {}
+            subnets_per_network: 2
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                subnet: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_show_network:
+        - args:
+            network_create_args: {}
+          context:
+            quotas:
+              neutron:
+                network: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_update_networks:
+        - args:
+            network_create_args: {}
+            network_update_args:
+              admin_state_up: false
+          context:
+            quotas:
+              neutron:
+                network: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_update_ports:
+        - args:
+            network_create_args: {}
+            port_create_args: {}
+            port_update_args:
+              admin_state_up: false
+              device_id: dummy_id
+              device_owner: dummy_owner
+            ports_per_network: 5
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                port: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_update_routers:
+        - args:
+            network_create_args: {}
+            router_create_args: {}
+            router_update_args:
+              admin_state_up: false
+            subnet_cidr_start: 1.1.0.0/30
+            subnet_create_args: {}
+            subnets_per_network: 2
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                router: -1
+                subnet: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.create_and_update_subnets:
+        - args:
+            network_create_args: {}
+            subnet_cidr_start: 1.4.0.0/16
+            subnet_create_args: {}
+            subnet_update_args:
+              enable_dhcp: false
+            subnets_per_network: 2
+          context:
+            network: {}
+            quotas:
+              neutron:
+                network: -1
+                subnet: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronNetworks.list_agents:
+        - args:
+            agent_args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronSecurityGroup.create_and_list_security_groups:
+        - args:
+            security_group_create_args: {}
+          context:
+            quotas:
+              neutron:
+                security_group: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NeutronSecurityGroup.create_and_update_security_groups:
+        - args:
+            security_group_create_args: {}
+            security_group_update_args: {}
+          context:
+            quotas:
+              neutron:
+                security_group: -1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+  paste:
+    composite:neutron:
+      use: egg:Paste#urlmap
+      /: neutronversions_composite
+      /v2.0: neutronapi_v2_0
+    composite:neutronapi_v2_0:
+      use: call:neutron.auth:pipeline_factory
+      noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
+      keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
+    composite:neutronversions_composite:
+      use: call:neutron.auth:pipeline_factory
+      noauth: cors http_proxy_to_wsgi neutronversions
+      keystone: cors http_proxy_to_wsgi neutronversions
+    filter:request_id:
+      paste.filter_factory: oslo_middleware:RequestId.factory
+    filter:catch_errors:
+      paste.filter_factory: oslo_middleware:CatchErrors.factory
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: neutron
+    filter:http_proxy_to_wsgi:
+      paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+    filter:keystonecontext:
+      paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/neutron/api_audit_map.conf
+    filter:extensions:
+      paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
+    app:neutronversions:
+      paste.app_factory: neutron.pecan_wsgi.app:versions_factory
+    app:neutronapiapp_v2_0:
+      paste.app_factory: neutron.api.v2.router:APIRouter.factory
+    filter:osprofiler:
+      paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+  policy: {}
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    custom_actions:
+      add_router_interface: update/add
+      remove_router_interface: update/remove
+    path_keywords:
+      floatingips: ip
+      healthmonitors: healthmonitor
+      health_monitors: health_monitor
+      lb: None
+      members: member
+      metering-labels: label
+      metering-label-rules: rule
+      networks: network
+      pools: pool
+      ports: port
+      routers: router
+      quotas: quota
+      security-groups: security-group
+      security-group-rules: rule
+      subnets: subnet
+      vips: vip
+    service_endpoints:
+      network: service/network
+  neutron_sudoers: |
+    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+    Defaults !requiretty
+    Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+    neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
+    neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
+  rootwrap: |
+    # Configuration for neutron-rootwrap
+    # This file should be owned by (and only-writeable by) the root user
+
+    [DEFAULT]
+    # List of directories to load filter definitions from (separated by ',').
+    # These directories MUST all be only writeable by root !
+    filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
+
+    # List of directories to search executables in, in case filters do not
+    # explicitely specify a full path (separated by ',')
+    # If not specified, defaults to system PATH environment variable.
+    # These directories MUST all be only writeable by root !
+    exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+    # Enable logging to syslog
+    # Default value is False
+    use_syslog=False
+
+    # Which syslog facility to use.
+    # Valid values include auth, authpriv, syslog, local0, local1...
+    # Default value is 'syslog'
+    syslog_log_facility=syslog
+
+    # Which messages to log.
+    # INFO means log all usage
+    # ERROR means only log unsuccessful attempts
+    syslog_log_level=ERROR
+
+    [xenapi]
+    # XenAPI configuration is only required by the L2 agent if it is to
+    # target a XenServer/XCP compute host's dom0.
+    xenapi_connection_url=<None>
+    xenapi_connection_username=root
+    xenapi_connection_password=<None>
+  rootwrap_filters:
+    debug:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # This is needed because we should ping
+        # from inside a namespace which requires root
+        # _alt variants allow to match -c and -w in any order
+        #   (used by NeutronDebugAgent.ping_all)
+        ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
+        ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
+        ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
+        ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
+    dibbler:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # Filters for the dibbler-based reference implementation of the pluggable
+        # Prefix Delegation driver. Other implementations using an alternative agent
+        # should include a similar filter in this folder.
+
+        # prefix_delegation_agent
+        dibbler-client: CommandFilter, dibbler-client, root
+    ipset_firewall:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+        # neutron/agent/linux/iptables_firewall.py
+        #   "ipset", "-A", ...
+        ipset: CommandFilter, ipset, root
+    l3:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # arping
+        arping: CommandFilter, arping, root
+
+        # l3_agent
+        sysctl: CommandFilter, sysctl, root
+        route: CommandFilter, route, root
+        radvd: CommandFilter, radvd, root
+
+        # haproxy
+        haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
+        kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
+
+        # metadata proxy
+        metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
+        # RHEL invocation of the metadata proxy will report /usr/bin/python
+        kill_metadata: KillFilter, root, python, -15, -9
+        kill_metadata2: KillFilter, root, python2, -15, -9
+        kill_metadata7: KillFilter, root, python2.7, -15, -9
+        kill_metadata3: KillFilter, root, python3, -15, -9
+        kill_metadata35: KillFilter, root, python3.5, -15, -9
+        kill_metadata36: KillFilter, root, python3.6, -15, -9
+        kill_metadata37: KillFilter, root, python3.7, -15, -9
+        kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
+        kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
+
+        # ip_lib
+        ip: IpFilter, ip, root
+        find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+        ip_exec: IpNetnsExecFilter, ip, root
+
+        # l3_tc_lib
+        l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
+        l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
+        l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
+        l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
+        l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
+        l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
+        l3_tc_add_filter_egress:  RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
+
+        # For ip monitor
+        kill_ip_monitor: KillFilter, root, ip, -9
+
+        # ovs_lib (if OVSInterfaceDriver is used)
+        ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+        # iptables_manager
+        iptables-save: CommandFilter, iptables-save, root
+        iptables-restore: CommandFilter, iptables-restore, root
+        ip6tables-save: CommandFilter, ip6tables-save, root
+        ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+        # Keepalived
+        keepalived: CommandFilter, keepalived, root
+        kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
+
+        # l3 agent to delete floatingip's conntrack state
+        conntrack: CommandFilter, conntrack, root
+
+        # keepalived state change monitor
+        keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
+        # The following filters are used to kill the keepalived state change monitor.
+        # Since the monitor runs as a Python script, the system reports that the
+        # command of the process to be killed is python.
+        # TODO(mlavalle) These kill filters will be updated once we come up with a
+        # mechanism to kill using the name of the script being executed by Python
+        kill_keepalived_monitor_py: KillFilter, root, python, -15
+        kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
+        kill_keepalived_monitor_py3: KillFilter, root, python3, -15
+        kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
+        kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
+        kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
+    netns_cleanup:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+        - netns_cleanup_cron
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # netns-cleanup
+        netstat: CommandFilter, netstat, root
+    dhcp:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+        - netns_cleanup_cron
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # dhcp-agent
+        dnsmasq: CommandFilter, dnsmasq, root
+        # dhcp-agent uses kill as well, that's handled by the generic KillFilter
+        # it looks like these are the only signals needed, per
+        # neutron/agent/linux/dhcp.py
+        kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
+        kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
+
+        ovs-vsctl: CommandFilter, ovs-vsctl, root
+        ivs-ctl: CommandFilter, ivs-ctl, root
+        mm-ctl: CommandFilter, mm-ctl, root
+        dhcp_release: CommandFilter, dhcp_release, root
+        dhcp_release6: CommandFilter, dhcp_release6, root
+
+        # metadata proxy
+        metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
+        # RHEL invocation of the metadata proxy will report /usr/bin/python
+        kill_metadata: KillFilter, root, python, -9
+        kill_metadata2: KillFilter, root, python2, -9
+        kill_metadata7: KillFilter, root, python2.7, -9
+        kill_metadata3: KillFilter, root, python3, -9
+        kill_metadata35: KillFilter, root, python3.5, -9
+        kill_metadata36: KillFilter, root, python3.6, -9
+        kill_metadata37: KillFilter, root, python3.7, -9
+
+        # ip_lib
+        ip: IpFilter, ip, root
+        find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+        ip_exec: IpNetnsExecFilter, ip, root
+    ebtables:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        ebtables: CommandFilter, ebtables, root
+    iptables_firewall:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # neutron/agent/linux/iptables_firewall.py
+        #   "iptables-save", ...
+        iptables-save: CommandFilter, iptables-save, root
+        iptables-restore: CommandFilter, iptables-restore, root
+        ip6tables-save: CommandFilter, ip6tables-save, root
+        ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+        # neutron/agent/linux/iptables_firewall.py
+        #   "iptables", "-A", ...
+        iptables: CommandFilter, iptables, root
+        ip6tables: CommandFilter, ip6tables, root
+
+        # neutron/agent/linux/iptables_firewall.py
+        sysctl: CommandFilter, sysctl, root
+
+        # neutron/agent/linux/ip_conntrack.py
+        conntrack: CommandFilter, conntrack, root
+    linuxbridge_plugin:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # linuxbridge-agent
+        # unclear whether both variants are necessary, but I'm transliterating
+        # from the old mechanism
+        brctl: CommandFilter, brctl, root
+        bridge: CommandFilter, bridge, root
+
+        # ip_lib
+        ip: IpFilter, ip, root
+        find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+        ip_exec: IpNetnsExecFilter, ip, root
+
+        # tc commands needed for QoS support
+        tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
+        tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
+        tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
+        tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
+        tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
+        tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
+    openvswitch_plugin:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+      content: |
+        # neutron-rootwrap command filters for nodes on which neutron is
+        # expected to control network
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # openvswitch-agent
+        # unclear whether both variants are necessary, but I'm transliterating
+        # from the old mechanism
+        ovs-vsctl: CommandFilter, ovs-vsctl, root
+        # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
+        ovs-ofctl: CommandFilter, ovs-ofctl, root
+        ovs-appctl: CommandFilter, ovs-appctl, root
+        kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
+        ovsdb-client: CommandFilter, ovsdb-client, root
+        xe: CommandFilter, xe, root
+
+        # ip_lib
+        ip: IpFilter, ip, root
+        find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+        ip_exec: IpNetnsExecFilter, ip, root
+
+        # needed for FDB extension
+        bridge: CommandFilter, bridge, root
+    privsep:
+      pods:
+        - dhcp_agent
+        - l3_agent
+        - lb_agent
+        - metadata_agent
+        - ovs_agent
+        - sriov_agent
+        - netns_cleanup_cron
+      content: |
+        # Command filters to allow privsep daemon to be started via rootwrap.
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        [Filters]
+
+        # By installing the following, the local admin is asserting that:
+        #
+        # 1. The python module load path used by privsep-helper
+        #    command as root (as started by sudo/rootwrap) is trusted.
+        # 2. Any oslo.config files matching the --config-file
+        #    arguments below are trusted.
+        # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
+        #    also allowed to invoke python "entrypoint" functions from
+        #    --privsep_context with the additional (possibly root) privileges
+        #    configured for that context.
+        #
+        # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
+        #
+        # In particular, the oslo.config and python module path must not
+        # be writeable by the unprivileged user.
+
+        # oslo.privsep default neutron context
+        privsep: PathFilter, privsep-helper, root,
+         --config-file, /etc,
+         --privsep_context, neutron.privileged.default,
+         --privsep_sock_path, /
+
+        # NOTE: A second `--config-file` arg can also be added above. Since
+        # many neutron components are installed like that (eg: by devstack).
+        # Adjust to suit local requirements.
+    linux_vxlan:
+      pods:
+        - bagpipe_bgp
+      content: |
+        # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
+        # expected to control VXLAN Linux Bridge dataplane
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        #
+        modprobe: CommandFilter, modprobe, root
+
+        #
+        brctl: CommandFilter, brctl, root
+        bridge: CommandFilter, bridge, root
+
+        # ip_lib
+        ip: IpFilter, ip, root
+        ip_exec: IpNetnsExecFilter, ip, root
+
+        # shell (for piped commands)
+        sh: CommandFilter, sh, root
+    mpls_ovs_dataplane:
+      pods:
+        - bagpipe_bgp
+      content: |
+        # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
+        # expected to control MPLS OpenVSwitch dataplane
+        #
+        # This file should be owned by (and only-writeable by) the root user
+
+        # format seems to be
+        # cmd-name: filter-name, raw-command, user, args
+
+        [Filters]
+
+        # openvswitch
+        ovs-vsctl: CommandFilter, ovs-vsctl, root
+        ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+        # ip_lib
+        ip: IpFilter, ip, root
+        ip_exec: IpNetnsExecFilter, ip, root
+
+        # shell (for piped commands)
+        sh: CommandFilter, sh, root
+  neutron:
+    DEFAULT:
+      metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
+      log_config_append: /etc/neutron/logging.conf
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      bind_port: null
+      default_availability_zones: nova
+      api_workers: 1
+      rpc_workers: 4
+      allow_overlapping_ips: True
+      state_path: /var/lib/neutron
+      # core_plugin can be: ml2, calico
+      core_plugin: ml2
+      # service_plugin can be: router, odl-router, empty for calico,
+      # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
+      service_plugins: router
+      allow_automatic_l3agent_failover: True
+      l3_ha: True
+      max_l3_agents_per_router: 2
+      l3_ha_network_type: vxlan
+      network_auto_schedule: True
+      router_auto_schedule: True
+      # (NOTE)portdirect: if unset this is populated dynamically from the value in
+      # 'network.backend' to sane defaults.
+      interface_driver: null
+    oslo_concurrency:
+      lock_path: /var/lib/neutron/tmp
+    database:
+      max_retries: -1
+    agent:
+      root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
+      root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
+    oslo_messaging_notifications:
+      driver: messagingv2
+    oslo_messaging_rabbit:
+      rabbit_ha_queues: true
+    oslo_middleware:
+      enable_proxy_headers_parsing: true
+    oslo_policy:
+      policy_file: /etc/neutron/policy.yaml
+    nova:
+      auth_type: password
+      auth_version: v3
+      endpoint_type: internal
+    designate:
+      auth_type: password
+      auth_version: v3
+      endpoint_type: internal
+      allow_reverse_dns_lookup: true
+    ironic:
+      endpoint_type: internal
+    keystone_authtoken:
+      memcache_security_strategy: ENCRYPT
+      auth_type: password
+      auth_version: v3
+    octavia:
+      request_poll_timeout: 3000
+  logging:
+    loggers:
+      keys:
+        - root
+        - neutron
+        - neutron_taas
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_neutron:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: neutron
+    logger_neutron_taas:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: neutron_taas
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+  plugins:
+    ml2_conf:
+      ml2:
+        extension_drivers: port_security
+        # (NOTE)portdirect: if unset this is populated dyanmicly from the value
+        # in 'network.backend' to sane defaults.
+        mechanism_drivers: null
+        type_drivers: flat,vlan,vxlan
+        tenant_network_types: vxlan
+      ml2_type_vxlan:
+        vni_ranges: 1:1000
+        vxlan_group: 239.1.1.1
+      ml2_type_flat:
+        flat_networks: "*"
+      # If you want to use the external network as a tagged provider network,
+      # a range should be specified including the intended VLAN target
+      # using ml2_type_vlan.network_vlan_ranges:
+      # ml2_type_vlan:
+      #   network_vlan_ranges: "external:1100:1110"
+      agent:
+        extensions: ""
+    ml2_conf_sriov: null
+    taas:
+      taas:
+        enabled: False
+    openvswitch_agent:
+      agent:
+        tunnel_types: vxlan
+        l2_population: True
+        arp_responder: True
+      ovs:
+        bridge_mappings: "external:br-ex"
+      securitygroup:
+        firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+    linuxbridge_agent:
+      linux_bridge:
+        # To define Flat and VLAN connections, in LB we can assign
+        # specific interface to the flat/vlan network name using:
+        # physical_interface_mappings: "external:eth3"
+        # Or we can set the mapping between the network and bridge:
+        bridge_mappings: "external:br-ex"
+        # The two above options are exclusive, do not use both of them at once
+      securitygroup:
+        firewall_driver: iptables
+      vxlan:
+        l2_population: True
+        arp_responder: True
+    macvtap_agent: null
+    sriov_agent:
+      securitygroup:
+        firewall_driver: neutron.agent.firewall.NoopFirewallDriver
+      sriov_nic:
+        physical_device_mappings: physnet2:enp3s0f1
+        # NOTE: do not use null here, use an empty string
+        exclude_devices: ""
+  dhcp_agent:
+    DEFAULT:
+      # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
+      # 'network.backend' to sane defaults.
+      interface_driver: null
+      dnsmasq_config_file: /etc/neutron/dnsmasq.conf
+      force_metadata: True
+  dnsmasq: |
+      #no-hosts
+      #port=5353
+      #cache-size=500
+      #no-negcache
+      #dns-forward-max=100
+      #resolve-file=
+      #strict-order
+      #bind-interface
+      #bind-dynamic
+      #domain=
+      #dhcp-range=10.10.10.10,10.10.10.100,24h
+      #dhcp-lease-max=150
+      #dhcp-host=11:22:33:44:55:66,ignore
+      #dhcp-option=3,10.10.10.1
+      #dhcp-option-force=26,1450
+
+  l3_agent:
+    DEFAULT:
+      # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
+      # 'network.backend' to sane defaults.
+      interface_driver: null
+      agent_mode: legacy
+  metering_agent: null
+  metadata_agent:
+    DEFAULT:
+      # we cannot change the proxy socket path as it is declared
+      # as a hostPath volume from agent daemonsets
+      metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
+      metadata_proxy_shared_secret: "password"
+    cache:
+      enabled: true
+      backend: dogpile.cache.memcached
+  bagpipe_bgp: {}
+
+  rabbitmq:
+    # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+    policies:
+      - vhost: "neutron"
+        name: "ha_ttl_neutron"
+        definition:
+          # mirror messges to other nodes in rmq cluster
+          ha-mode: "all"
+          ha-sync-mode: "automatic"
+          # 70s
+          message-ttl: 70000
+        priority: 0
+        apply-to: all
+        pattern: '^(?!(amq\.|reply_)).*'
+  ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
+  ##       This helps prevent sriov init script from failing due to mis-matched NIC
+  ##       For prod env, target NIC should match and init script should fail otherwise.
+  ## sriov_init:
+  ##   - besteffort
+  sriov_init:
+    -
+  # auto_bridge_add is a table of "bridge: interface" pairs
+  # To automatically add a physical interfaces to a specific bridges,
+  # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
+  # to br1 do something like:
+  #
+  # auto_bridge_add:
+  #   br-physnet1: eth3
+  #   br0: if0
+  #   br1: iface_two
+  # br-ex will be added by default
+  auto_bridge_add:
+    br-ex: null
+
+  # configuration of OVS DPDK bridges and NICs
+  # this is a separate section and not part of the auto_bridge_add section
+  # because additional parameters are needed
+  ovs_dpdk:
+    enabled: false
+    # setting update_dpdk_bond_config to true will have default behavior,
+    # which may cause disruptions in ovs dpdk traffic in case of neutron
+    # ovs agent restart or when dpdk nic/bond configurations are changed.
+    # Setting this to false will configure dpdk in the first run and
+    # disable nic/bond config on event of restart or config update.
+    update_dpdk_bond_config: true
+    driver: uio_pci_generic
+    # In case bonds are configured, the nics which are part of those bonds
+    # must NOT be provided here.
+    nics:
+      - name: dpdk0
+        pci_id: '0000:05:00.0'
+        # Set VF Index in case some particular VF(s) need to be
+        # used with ovs-dpdk.
+        # vf_index: 0
+        bridge: br-phy
+        migrate_ip: true
+        n_rxq: 2
+        n_txq: 2
+        pmd_rxq_affinity: "0:3,1:27"
+        ofport_request: 1
+        # optional parameters for tuning the OVS DPDK config
+        # in alignment with the available hardware resources
+        # mtu: 2000
+        # n_rxq_size: 1024
+        # n_txq_size: 1024
+        # vhost-iommu-support: true
+    bridges:
+      - name: br-phy
+      # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
+      # - tunnel_underlay_vlan: 45
+    # Optional parameter for configuring bonding in OVS-DPDK
+    #   - name: br-phy-bond0
+    # bonds:
+    #   - name: dpdkbond0
+    #     bridge: br-phy-bond0
+    #     # The IP from the first nic in nics list shall be used
+    #     migrate_ip: true
+    #     mtu: 2000
+    #     # Please note that n_rxq is set for each NIC individually
+    #     # rather than denoting the total number of rx queues for
+    #     # the bond as a whole. So setting n_rxq = 2 below for ex.
+    #     # would be 4 rx queues in total for the bond.
+    #     # Same for n_txq
+    #     n_rxq: 2
+    #     n_txq: 2
+    #     ofport_request: 1
+    #     n_rxq_size: 1024
+    #     n_txq_size: 1024
+    #     vhost-iommu-support: true
+    #     ovs_options: "bond_mode=active-backup"
+    #     nics:
+    #       - name: dpdk_b0s0
+    #         pci_id: '0000:06:00.0'
+    #         pmd_rxq_affinity: "0:3,1:27"
+    #         # Set VF Index in case some particular VF(s) need to be
+    #         # used with ovs-dpdk. In which case pci_id of PF must be
+    #         # provided above.
+    #         # vf_index: 0
+    #       - name: dpdk_b0s1
+    #         pci_id: '0000:07:00.0'
+    #         pmd_rxq_affinity: "0:3,1:27"
+    #         # Set VF Index in case some particular VF(s) need to be
+    #         # used with ovs-dpdk. In which case pci_id of PF must be
+    #         # provided above.
+    #         # vf_index: 0
+    #
+    # Set the log level for each target module (default level is always dbg)
+    # Supported log levels are: off, emer, err, warn, info, dbg
+    #
+    # modules:
+    #   - name: dpdk
+    #     log_level: info
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: neutron-keystone-admin
+    neutron: neutron-keystone-user
+    test: neutron-keystone-test
+  oslo_db:
+    admin: neutron-db-admin
+    neutron: neutron-db-user
+  oslo_messaging:
+    admin: neutron-rabbitmq-admin
+    neutron: neutron-rabbitmq-user
+  tls:
+    compute_metadata:
+      metadata:
+        internal: metadata-tls-metadata
+    network:
+      server:
+        public: neutron-tls-public
+        internal: neutron-tls-server
+  oci_image_registry:
+    neutron: neutron-oci-image-registry
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      neutron:
+        username: neutron
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      neutron:
+        username: neutron
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /neutron
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
+      neutron:
+        username: neutron
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /neutron
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  compute:
+    name: nova
+    hosts:
+      default: nova-api
+      public: nova
+    host_fqdn_override:
+      default: null
+    path:
+      default: "/v2.1/%(tenant_id)s"
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8774
+        public: 80
+      novncproxy:
+        default: 6080
+  compute_metadata:
+    name: nova
+    hosts:
+      default: nova-metadata
+      public: metadata
+    host_fqdn_override:
+      default: null
+    path:
+      default: /
+    scheme:
+      default: 'http'
+    port:
+      metadata:
+        default: 8775
+        public: 80
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      neutron:
+        role: admin
+        region_name: RegionOne
+        username: neutron
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      nova:
+        region_name: RegionOne
+        project_name: service
+        username: nova
+        password: password
+        user_domain_name: service
+        project_domain_name: service
+      designate:
+        region_name: RegionOne
+        project_name: service
+        username: designate
+        password: password
+        user_domain_name: service
+        project_domain_name: service
+      ironic:
+        region_name: RegionOne
+        project_name: service
+        username: ironic
+        password: password
+        user_domain_name: service
+        project_domain_name: service
+      test:
+        role: admin
+        region_name: RegionOne
+        username: neutron-test
+        password: password
+        # NOTE: this project will be purged and reset if
+        # conf.rally_tests.force_project_purge is set to true
+        # which may be required upon test failure, but be aware that this will
+        # expunge all openstack objects, so if this is used a seperate project
+        # should be used for each helm test, and also it should be ensured
+        # that this project is not in use by other tenants
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  network:
+    name: neutron
+    hosts:
+      default: neutron-server
+      public: neutron
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: null
+    scheme:
+      default: 'http'
+      service: 'http'
+    port:
+      api:
+        default: 9696
+        public: 80
+        service: 9696
+  load_balancer:
+    name: octavia
+    hosts:
+      default: octavia-api
+      public: octavia
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: http
+    port:
+      api:
+        default: 9876
+        public: 80
+  fluentd:
+    namespace: osh-infra
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+  dns:
+    name: designate
+    hosts:
+      default: designate-api
+      public: designate
+    host_fqdn_override:
+      default: null
+    path:
+      default: /
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 9001
+        public: 80
+  baremetal:
+    name: ironic
+    hosts:
+      default: ironic-api
+      public: ironic
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 6385
+        public: 80
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+network_policy:
+  neutron:
+    # TODO(lamt): Need to tighten this ingress for security.
+    ingress:
+      - {}
+    egress:
+      - {}
+
+helm3_hook: true
+
+health_probe:
+  logging:
+    level: ERROR
+
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  daemonset_dhcp_agent: true
+  daemonset_l3_agent: true
+  daemonset_lb_agent: true
+  daemonset_metadata_agent: true
+  daemonset_ovs_agent: true
+  daemonset_sriov_agent: true
+  daemonset_l2gw_agent: false
+  daemonset_bagpipe_bgp: false
+  daemonset_netns_cleanup_cron: true
+  deployment_ironic_agent: false
+  deployment_server: true
+  ingress_server: true
+  job_bootstrap: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  job_rabbit_init: true
+  pdb_server: true
+  pod_rally_test: true
+  network_policy: false
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  secret_registry: true
+  service_ingress_server: true
+  service_server: true
+...
diff --git a/charts/nova/.helmignore b/charts/nova/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/nova/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/nova/Chart.yaml b/charts/nova/Chart.yaml
new file mode 100644
index 0000000..e43c866
--- /dev/null
+++ b/charts/nova/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Nova
+home: https://docs.openstack.org/nova/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: nova
+sources:
+- https://opendev.org/openstack/nova
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.32
diff --git a/charts/nova/charts/helm-toolkit/Chart.yaml b/charts/nova/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..751c291
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.38
diff --git a/charts/nova/charts/helm-toolkit/requirements.yaml b/charts/nova/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..db12915
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,540 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+local A_FILE="$1"
+local A_DATE=""
+if [[ -z ${BACK_UP_MODE} ]]; then
+  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
+else
+  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
+fi
+echo ${A_DATE}
+}
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -rf $ARCHIVE_FILE
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+  if [[ -f fd ]]; then
+    rm -f fd
+  else
+    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      create_hash_table $(cat $DB_BACKUP_FILES)
+      remove_old_remote_archives
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..aa656c1
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Chart.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..c5e07ee
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Chart.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..b8493b3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Chart.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..f1ad580
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Chart.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..c2576d5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Chart.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..7fa180a
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Chart.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/nova/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_template.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..d66663f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Chart.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/values.yaml b/charts/nova/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/nova/requirements.lock b/charts/nova/requirements.lock
new file mode 100644
index 0000000..159c53a
--- /dev/null
+++ b/charts/nova/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.38
+digest: sha256:5e8c9ccd0834d092abdcf29f1a6d79c906d4aa9f61c375d617f69a342c40747f
+generated: "2022-03-25T19:12:55.919908558Z"
diff --git a/charts/nova/requirements.yaml b/charts/nova/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/nova/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/nova/templates/bin/_bootstrap.sh.tpl b/charts/nova/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..9cb48b1
--- /dev/null
+++ b/charts/nova/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+{{ if .Values.bootstrap.structured.flavors.enabled }}
+{{ range .Values.bootstrap.structured.flavors.options }}
+# NOTE(aostapenko) Since Wallaby with switch of osc to sdk '--id auto' is no
+# longer treated specially. Though the same behavior can be achieved w/o specifying
+#--id flag.
+# https://review.opendev.org/c/openstack/python-openstackclient/+/750151
+{
+  openstack flavor show {{ .name }} || \
+   openstack flavor create {{ .name }} \
+{{ if .id }} \
+   --id {{ .id }} \
+{{ end }} \
+   --ram {{ .ram }} \
+   --disk {{ .disk }} \
+   --vcpus {{ .vcpus }}
+} &
+{{ end }}
+wait
+{{ end }}
+
+{{ if .Values.bootstrap.wait_for_computes.enabled }}
+{{ .Values.bootstrap.wait_for_computes.scripts.wait_script }}
+{{ else }}
+echo 'Wait for Computes script not enabled'
+{{ end }}
+
+{{ .Values.bootstrap.script | default "echo 'No other bootstrap customizations found.'" }}
diff --git a/charts/nova/templates/bin/_cell-setup-init.sh.tpl b/charts/nova/templates/bin/_cell-setup-init.sh.tpl
new file mode 100644
index 0000000..9535085
--- /dev/null
+++ b/charts/nova/templates/bin/_cell-setup-init.sh.tpl
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if .Values.jobs.cell_setup.extended_wait.enabled }}
+iteration={{ .Values.jobs.cell_setup.extended_wait.iteration }}
+duration={{ .Values.jobs.cell_setup.extended_wait.duration }}
+extra_wait=true
+# Init for case wait_for_computes is not enabled. It'll have
+# the same effect as the original code that checks for at
+# least one compute is registered
+expected_computes=1
+
+if [[ -f /tmp/compute_nodes.txt ]]
+then
+  expected_computes=$(cat /tmp/compute_nodes.txt | wc -w)
+fi
+
+while [[ "$extra_wait" == true ]]
+do
+  nova_computes=$(openstack compute service list --service nova-compute -f value -c State)
+
+  if [[ -z "$(echo $nova_computes | grep down)" ]]
+  then
+    # No more down. Although all present computes are up,
+    # the number of present computes may not be the total
+    # expected number of computes as some of the remaining
+    # computes may take a bit longer to register/join.
+    actual_computes=$(echo $nova_computes | wc -w)
+    if [[ "$actual_computes" -ge "$expected_computes" ]]
+    then
+      # All expected nodes are up
+      extra_wait=false
+    fi
+  fi
+
+  if [[ "$extra_wait" == true ]]
+  then
+    sleep "$duration"
+
+    if [[ "$iteration" -gt 1 ]]
+    then
+      ((iteration=iteration-1))
+    else
+      extra_wait=false
+
+      # List out the info to see whether any nodes is still down
+      openstack compute service list --service nova-compute
+    fi
+  fi
+done
+{{- end }}
+
+until openstack compute service list --service nova-compute -f value -c State | grep -q "^up$" ;do
+  echo "Waiting for Nova Compute processes to register"
+  sleep 10
+done
diff --git a/charts/nova/templates/bin/_cell-setup.sh.tpl b/charts/nova/templates/bin/_cell-setup.sh.tpl
new file mode 100644
index 0000000..45c9771
--- /dev/null
+++ b/charts/nova/templates/bin/_cell-setup.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+NOVA_VERSION=$(nova-manage --version 2>&1 | grep -Eo '[0-9]+[.][0-9]+[.][0-9]+')
+
+# NOTE(portdirect): check if nova fully supports cells v2, and manage
+# accordingly. Support was complete in ocata (V14.x.x).
+
+if [ "${NOVA_VERSION%%.*}" -gt "14" ]; then
+  nova-manage cell_v2 discover_hosts --verbose
+fi
diff --git a/charts/nova/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/nova/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..8c36d4b
--- /dev/null
+++ b/charts/nova/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.admin.keyring << EOF
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+    key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+    key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/nova/templates/bin/_ceph-keyring.sh.tpl b/charts/nova/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..b9237e8
--- /dev/null
+++ b/charts/nova/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cp -vf /etc/ceph/ceph.conf.template /etc/ceph/ceph.conf
+
+KEYRING=/etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring
+{{- if .Values.conf.ceph.cinder.keyring }}
+cat > ${KEYRING} <<EOF
+[client.{{ .Values.conf.ceph.cinder.user }}]
+    key = {{ .Values.conf.ceph.cinder.keyring }}
+EOF
+{{- else }}
+if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
+  #
+  # If user is not client.admin, check if it already exists. If not create
+  # the user. If the cephx user does not exist make sure the caps are set
+  # according to best practices
+  #
+  if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
+    echo "Cephx user client.${CEPH_CINDER_USER} already exist"
+    echo "Update user client.${CEPH_CINDER_USER} caps"
+    ceph auth caps client.${CEPH_CINDER_USER} \
+       mon "profile rbd" \
+       osd "profile rbd"
+    ceph auth get client.${CEPH_CINDER_USER} -o ${KEYRING}
+  else
+    echo "Creating Cephx user client.${CEPH_CINDER_USER}"
+    ceph auth get-or-create client.${CEPH_CINDER_USER} \
+      mon "profile rbd" \
+      osd "profile rbd" \
+      -o ${KEYRING}
+  fi
+  rm -f /etc/ceph/ceph.client.admin.keyring
+fi
+{{- end }}
diff --git a/charts/nova/templates/bin/_db-archive-deleted-row.sh.tpl b/charts/nova/templates/bin/_db-archive-deleted-row.sh.tpl
new file mode 100644
index 0000000..a4b986b
--- /dev/null
+++ b/charts/nova/templates/bin/_db-archive-deleted-row.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec nova-manage db archive_deleted_rows \
+{{- if .Values.conf.archive_deleted_rows.until_completion }}
+   --until-complete \
+{{- end}}
+{{- if .Values.conf.archive_deleted_rows.purge_delete_rows }}
+   --purge \
+{{- end }}
+{{- if .Values.conf.archive_deleted_rows.all_cells }}
+   --all-cells \
+{{- end}}
+{{- if .Values.conf.archive_deleted_rows.max_rows.enabled }}
+   --max_rows {{ .Values.conf.archive_deleted_rows.max_rows.rows }} \
+{{- end }}
+{{- if .Values.conf.archive_deleted_rows.before.enabled }}
+   --before "{{ .Values.conf.archive_deleted_rows.before.date }}" \
+{{- end }}
+   --verbose
diff --git a/charts/nova/templates/bin/_db-sync.sh.tpl b/charts/nova/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..e688238
--- /dev/null
+++ b/charts/nova/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+NOVA_VERSION=$(nova-manage --version 2>&1 | grep -Eo '[0-9]+[.][0-9]+[.][0-9]+')
+
+function manage_cells () {
+  # NOTE(portdirect): check if nova fully supports cells v2, and manage
+  # accordingly. Support was complete in ocata (V14.x.x).
+  if [ "${NOVA_VERSION%%.*}" -gt "14" ]; then
+    nova-manage cell_v2 map_cell0
+    nova-manage cell_v2 list_cells | grep -q " cell1 " || \
+      nova-manage cell_v2 create_cell --name=cell1 --verbose
+
+    CELL0_ID=$(nova-manage cell_v2 list_cells | awk -F '|' '/ cell0 / { print $3 }' | tr -d ' ')
+    CELL1_ID=$(nova-manage cell_v2 list_cells | awk -F '|' '/ cell1 / { print $3 }' | tr -d ' ')
+    set +x
+
+    CELL0_TRANSPORT=$(nova-manage cell_v2 list_cells | awk -F '|' '/ cell0 / { print $4 }' | tr -d ' ')
+    if [ -z "${DB_CONNECTION_CELL0}" ]; then
+      echo "ERROR: missing DB_CONNECTION_CELL0"
+      exit 1
+    fi
+    nova-manage cell_v2 update_cell \
+      --cell_uuid="${CELL0_ID}" \
+      --name="cell0" \
+      --transport-url="${CELL0_TRANSPORT}" \
+      --database_connection="${DB_CONNECTION_CELL0}"
+
+    for VAR in TRANSPORT_URL DB_CONNECTION; do
+      if [ -z "${!VAR}" ]; then
+        echo "ERROR: missing $VAR variable"
+        exit 1
+      fi
+    done
+    nova-manage cell_v2 update_cell \
+      --cell_uuid="${CELL1_ID}" \
+      --name="cell1" \
+      --transport-url="${TRANSPORT_URL}" \
+      --database_connection="${DB_CONNECTION}"
+    set -x
+  fi
+}
+
+# NOTE(aostapenko) Starting Wallaby nova-manage api_db version returns init version for empty database
+# greater than 0 # https://opendev.org/openstack/nova/src/branch/stable/wallaby/nova/db/sqlalchemy/migration.py#L32
+# thus logic prior to this commit does not work. We need to either remove or justify and alter previous logic.
+nova-manage api_db sync
+manage_cells
+
+nova-manage db sync
+
+nova-manage db online_data_migrations
+
+echo 'Finished DB migrations'
diff --git a/charts/nova/templates/bin/_fake-iptables.sh.tpl b/charts/nova/templates/bin/_fake-iptables.sh.tpl
new file mode 100644
index 0000000..78cbd46
--- /dev/null
+++ b/charts/nova/templates/bin/_fake-iptables.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+exit 0
diff --git a/charts/nova/templates/bin/_health-probe.py.tpl b/charts/nova/templates/bin/_health-probe.py.tpl
new file mode 100644
index 0000000..0185319
--- /dev/null
+++ b/charts/nova/templates/bin/_health-probe.py.tpl
@@ -0,0 +1,259 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Health probe script for OpenStack service that uses RPC/unix domain socket for
+communication. Check's the RPC tcp socket status on the process and send
+message to service through rpc call method and expects a reply.
+Use nova's ping method that is designed just for such simple purpose.
+
+Script returns failure to Kubernetes only when
+  a. TCP socket for the RPC communication are not established.
+  b. service is not reachable or
+  c. service times out sending a reply.
+
+sys.stderr.write() writes to pod's events on failures.
+
+Usage example for Nova Compute:
+# python health-probe.py --config-file /etc/nova/nova.conf \
+#  --service-queue-name compute
+
+"""
+
+import json
+import os
+import psutil
+import signal
+import socket
+import sys
+
+from oslo_config import cfg
+from oslo_context import context
+from oslo_log import log
+import oslo_messaging
+
+rpc_timeout = int(os.getenv('RPC_PROBE_TIMEOUT', '60'))
+rpc_retries = int(os.getenv('RPC_PROBE_RETRIES', '2'))
+
+tcp_established = "ESTABLISHED"
+
+
+def _get_hostname(topic, use_fqdn):
+    if use_fqdn and topic == "compute":
+        return socket.getfqdn()
+    return socket.gethostname()
+
+
+def check_service_status(transport):
+    """Verify service status. Return success if service consumes message"""
+    try:
+        service_queue_name = cfg.CONF.service_queue_name
+        use_fqdn = cfg.CONF.use_fqdn
+        target = oslo_messaging.Target(
+            topic=service_queue_name,
+            server=_get_hostname(service_queue_name, use_fqdn),
+            namespace='baseapi',
+            version="1.1")
+        client = oslo_messaging.RPCClient(transport, target,
+                                          timeout=rpc_timeout,
+                                          retry=rpc_retries)
+        client.call(context.RequestContext(),
+                    'ping',
+                    arg=None)
+    except oslo_messaging.exceptions.MessageDeliveryFailure:
+        # Log to pod events
+        sys.stderr.write("Health probe unable to reach message bus")
+        sys.exit(0)  # return success
+    except oslo_messaging.rpc.client.RemoteError as re:
+        message = getattr(re, "message", str(re))
+        if ("Endpoint does not support RPC method" in message) or \
+                ("Endpoint does not support RPC version" in message):
+            sys.exit(0)  # Call reached the service
+        else:
+            sys.stderr.write("Health probe unable to reach service")
+            sys.exit(1)  # return failure
+    except oslo_messaging.exceptions.MessagingTimeout:
+        sys.stderr.write("Health probe timed out. Agent is down or response "
+                         "timed out")
+        sys.exit(1)  # return failure
+    except Exception as ex:
+        message = getattr(ex, "message", str(ex))
+        sys.stderr.write("Health probe caught exception sending message to "
+                         "service: %s" % message)
+        sys.exit(0)
+    except:
+        sys.stderr.write("Health probe caught exception sending message to"
+                         " service")
+        sys.exit(0)
+
+
+def tcp_socket_status(process, ports):
+    """Check the tcp socket status on a process"""
+    for p in psutil.process_iter():
+        try:
+            with p.oneshot():
+                if process in " ".join(p.cmdline()):
+                    pcon = p.connections()
+                    for con in pcon:
+                        try:
+                            rport = con.raddr[1]
+                            status = con.status
+                        except IndexError:
+                            continue
+                        if rport in ports and status == tcp_established:
+                            return 1
+        except psutil.Error:
+            continue
+    return 0
+
+
+def configured_port_in_conf():
+    """Get the rabbitmq/Database port configured in config file"""
+
+    rabbit_ports = set()
+    database_ports = set()
+
+    try:
+        transport_url = oslo_messaging.TransportURL.parse(cfg.CONF)
+        for host in transport_url.hosts:
+            rabbit_ports.add(host.port)
+    except Exception as ex:
+        message = getattr(ex, "message", str(ex))
+        sys.stderr.write("Health probe caught exception reading "
+                         "RabbitMQ ports: %s" % message)
+        sys.exit(0)  # return success
+
+    try:
+        with open(sys.argv[2]) as conf_file:
+            for line in conf_file:
+                if "connection =" in line:
+                    service = line.split(':', 3)[3].split('/')[1].rstrip('\n')
+                    if service == "nova":
+                        database_ports.add(
+                            int(line.split(':', 3)[3].split('/')[0]))
+    except IOError:
+        sys.stderr.write("Nova Config file not present")
+        sys.exit(1)
+
+    return rabbit_ports, database_ports
+
+
+def test_tcp_socket(service):
+    """Check tcp socket to rabbitmq/db is in Established state"""
+    dict_services = {
+        "compute": "nova-compute",
+        "conductor": "nova-conductor",
+        "consoleauth": "nova-consoleaut",
+        "scheduler": "nova-scheduler"
+    }
+    r_ports, d_ports = configured_port_in_conf()
+
+    if service in dict_services:
+        proc = dict_services[service]
+        transport = oslo_messaging.TransportURL.parse(cfg.CONF)
+        if r_ports and tcp_socket_status(proc, r_ports) == 0:
+            sys.stderr.write("RabbitMQ socket not established for service "
+                             "%s with transport %s" % (proc, transport))
+            # Do not kill the pod if RabbitMQ is not reachable/down
+            if not cfg.CONF.liveness_probe:
+                sys.exit(1)
+
+        # let's do the db check
+        if service != "compute":
+            if d_ports and tcp_socket_status(proc, d_ports) == 0:
+                sys.stderr.write("Database socket not established for service "
+                                 "%s with transport %s" % (proc, transport))
+                # Do not kill the pod if database is not reachable/down
+                # there could be no socket as well as typically connections
+                # get closed after an idle timeout
+                # Just log it to pod events
+                if not cfg.CONF.liveness_probe:
+                    sys.exit(1)
+
+
+def test_rpc_liveness():
+    """Test if service can consume message from queue"""
+    oslo_messaging.set_transport_defaults(control_exchange='nova')
+
+    rabbit_group = cfg.OptGroup(name='oslo_messaging_rabbit',
+                                title='RabbitMQ options')
+    cfg.CONF.register_group(rabbit_group)
+    cfg.CONF.register_cli_opt(cfg.StrOpt('service-queue-name'))
+    cfg.CONF.register_cli_opt(cfg.BoolOpt('liveness-probe', default=False,
+                                          required=False))
+    cfg.CONF.register_cli_opt(cfg.BoolOpt('use-fqdn', default=False,
+                                          required=False))
+
+    cfg.CONF(sys.argv[1:])
+
+    log.logging.basicConfig(level=log.{{ .Values.health_probe.logging.level }})
+
+    try:
+        transport = oslo_messaging.get_notification_transport(cfg.CONF)
+    except Exception as ex:
+        message = getattr(ex, "message", str(ex))
+        sys.stderr.write("Message bus driver load error: %s" % message)
+        sys.exit(0)  # return success
+
+    if not cfg.CONF.transport_url or \
+            not cfg.CONF.service_queue_name:
+        sys.stderr.write("Both message bus URL and service's queue name are "
+                         "required for health probe to work")
+        sys.exit(0)  # return success
+
+    try:
+        cfg.CONF.set_override('rabbit_max_retries', 2,
+                              group=rabbit_group)  # 3 attempts
+    except cfg.NoSuchOptError as ex:
+        cfg.CONF.register_opt(cfg.IntOpt('rabbit_max_retries', default=2),
+                              group=rabbit_group)
+
+    service = cfg.CONF.service_queue_name
+    test_tcp_socket(service)
+
+    check_service_status(transport)
+
+def check_pid_running(pid):
+    if psutil.pid_exists(int(pid)):
+       return True
+    else:
+       return False
+
+if __name__ == "__main__":
+
+    if "liveness-probe" in ','.join(sys.argv):
+        pidfile = "/tmp/liveness.pid"  #nosec
+    else:
+        pidfile = "/tmp/readiness.pid"  #nosec
+    data = {}
+    if os.path.isfile(pidfile):
+        with open(pidfile,'r') as f:
+            data = json.load(f)
+        if check_pid_running(data['pid']):
+            if data['exit_count'] > 1:
+                # Third time in, kill the previous process
+                os.kill(int(data['pid']), signal.SIGTERM)
+            else:
+                data['exit_count'] = data['exit_count'] + 1
+                with open(pidfile, 'w') as f:
+                    json.dump(data, f)
+                sys.exit(0)
+    data['pid'] = os.getpid()
+    data['exit_count'] = 0
+    with open(pidfile, 'w') as f:
+        json.dump(data, f)
+
+    test_rpc_liveness()
+
+    sys.exit(0)  # return success
diff --git a/charts/nova/templates/bin/_iscsiadm.tpl b/charts/nova/templates/bin/_iscsiadm.tpl
new file mode 100644
index 0000000..edb5017
--- /dev/null
+++ b/charts/nova/templates/bin/_iscsiadm.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+      iscsiadm "${@:1}"
diff --git a/charts/nova/templates/bin/_multipath.tpl b/charts/nova/templates/bin/_multipath.tpl
new file mode 100644
index 0000000..7f84c9c
--- /dev/null
+++ b/charts/nova/templates/bin/_multipath.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+      multipath "${@:1}"
diff --git a/charts/nova/templates/bin/_multipathd.tpl b/charts/nova/templates/bin/_multipathd.tpl
new file mode 100644
index 0000000..a9ff34a
--- /dev/null
+++ b/charts/nova/templates/bin/_multipathd.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+      multipathd "${@:1}"
diff --git a/charts/nova/templates/bin/_nova-api-metadata-init.sh.tpl b/charts/nova/templates/bin/_nova-api-metadata-init.sh.tpl
new file mode 100644
index 0000000..84f1c80
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-api-metadata-init.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+metadata_ip="{{- .Values.endpoints.compute_metadata.ip.ingress -}}"
+if [ -z "${metadata_ip}" ] ; then
+    metadata_ip=$(getent hosts metadata | awk '{print $1}')
+fi
+
+cat <<EOF>/tmp/pod-shared/nova-api-metadata.ini
+[DEFAULT]
+metadata_host=$metadata_ip
+EOF
diff --git a/charts/nova/templates/bin/_nova-api-metadata.sh.tpl b/charts/nova/templates/bin/_nova-api-metadata.sh.tpl
new file mode 100644
index 0000000..18195f2
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-api-metadata.sh.tpl
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+  for WSGI_SCRIPT in nova-metadata-wsgi; do
+    cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
+  done
+
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    mkdir -p ${APACHE_RUN_DIR}
+  fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+  {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+  {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+  {{- end }}
+{{- end }}
+
+  if [ -f /var/run/apache2/apache2.pid ]; then
+    # Remove the stale pid for debian/ubuntu images
+    rm -f /var/run/apache2/apache2.pid
+  fi
+  # Starts Apache2
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+  exec nova-api-metadata \
+        --config-file /etc/nova/nova.conf \
+        --config-file /tmp/pod-shared/nova-api-metadata.ini
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+  if [ -f /etc/apache2/envvars ]; then
+    source /etc/apache2/envvars
+  fi
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+  kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/nova/templates/bin/_nova-api.sh.tpl b/charts/nova/templates/bin/_nova-api.sh.tpl
new file mode 100644
index 0000000..c62de9a
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-api.sh.tpl
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+  for WSGI_SCRIPT in nova-api-wsgi; do
+    cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
+  done
+
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    mkdir -p ${APACHE_RUN_DIR}
+  fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+  {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+  {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+  {{- end }}
+{{- end }}
+
+
+  if [ -f /var/run/apache2/apache2.pid ]; then
+    # Remove the stale pid for debian/ubuntu images
+    rm -f /var/run/apache2/apache2.pid
+  fi
+  # Starts Apache2
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+  exec nova-api-os-compute \
+        --config-file /etc/nova/nova.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+  if [ -f /etc/apache2/envvars ]; then
+    source /etc/apache2/envvars
+  fi
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+  kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/nova/templates/bin/_nova-compute-init.sh.tpl b/charts/nova/templates/bin/_nova-compute-init.sh.tpl
new file mode 100644
index 0000000..0636b69
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-compute-init.sh.tpl
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# Make the Nova Instances Dir as this is not autocreated.
+mkdir -p /var/lib/nova/instances
+
+# Set Ownership of nova dirs to the nova user
+chown ${NOVA_USER_UID} /var/lib/nova /var/lib/nova/instances
+
+migration_interface="{{- .Values.conf.libvirt.live_migration_interface -}}"
+if [[ -n $migration_interface ]]; then
+    # determine ip dynamically based on interface provided
+    migration_address=$(ip a s $migration_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
+fi
+
+touch /tmp/pod-shared/nova-libvirt.conf
+if [[ -n $migration_address ]]; then
+cat <<EOF>/tmp/pod-shared/nova-libvirt.conf
+[libvirt]
+live_migration_inbound_addr = $migration_address
+EOF
+fi
+
+hypervisor_interface="{{- .Values.conf.hypervisor.host_interface -}}"
+if [[ -z $hypervisor_interface ]]; then
+    # search for interface with default routing
+    # If there is not default gateway, exit
+    hypervisor_interface=$(ip -4 route list 0/0 | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
+fi
+
+hypervisor_address=$(ip a s $hypervisor_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
+
+if [ -z "${hypervisor_address}" ] ; then
+  echo "Var my_ip is empty"
+  exit 1
+fi
+
+tee > /tmp/pod-shared/nova-hypervisor.conf << EOF
+[DEFAULT]
+my_ip  = $hypervisor_address
+EOF
+
+{{- if and ( empty .Values.conf.nova.DEFAULT.host ) ( .Values.pod.use_fqdn.compute ) }}
+tee > /tmp/pod-shared/nova-compute-fqdn.conf << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/nova/templates/bin/_nova-compute-ironic.sh.tpl b/charts/nova/templates/bin/_nova-compute-ironic.sh.tpl
new file mode 100644
index 0000000..a22cbcf
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-compute-ironic.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec nova-compute \
+      --config-file /etc/nova/nova.conf \
+      --config-file /etc/nova/nova-ironic.conf
diff --git a/charts/nova/templates/bin/_nova-compute.sh.tpl b/charts/nova/templates/bin/_nova-compute.sh.tpl
new file mode 100644
index 0000000..23ce347
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-compute.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec nova-compute \
+      --config-file /etc/nova/nova.conf \
+      --config-file /tmp/pod-shared/nova-console.conf \
+      --config-file /tmp/pod-shared/nova-libvirt.conf \
+{{- if and ( empty .Values.conf.nova.DEFAULT.host ) ( .Values.pod.use_fqdn.compute ) }}
+      --config-file /tmp/pod-shared/nova-compute-fqdn.conf \
+{{- end }}
+      --config-file /tmp/pod-shared/nova-hypervisor.conf
diff --git a/charts/nova/templates/bin/_nova-conductor.sh.tpl b/charts/nova/templates/bin/_nova-conductor.sh.tpl
new file mode 100644
index 0000000..0f7d5b1
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-conductor.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec nova-conductor \
+      --config-file /etc/nova/nova.conf
diff --git a/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl b/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl
new file mode 100644
index 0000000..6718fab
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+console_kind="{{- .Values.console.console_kind -}}"
+
+if [ "${console_kind}" == "novnc" ] ; then
+    client_address="{{- .Values.conf.nova.vnc.server_proxyclient_address -}}"
+    client_interface="{{- .Values.console.novnc.compute.vncserver_proxyclient_interface -}}"
+    listen_ip="{{- .Values.conf.nova.vnc.server_listen -}}"
+elif [ "${console_kind}" == "spice" ] ; then
+    client_address="{{- .Values.conf.nova.spice.server_proxyclient_address -}}"
+    client_interface="{{- .Values.console.spice.compute.server_proxyclient_interface -}}"
+    listen_ip="{{- .Values.conf.nova.spice.server_listen -}}"
+fi
+
+if [ -z "${client_address}" ] ; then
+    if [ -z "${client_interface}" ] ; then
+        if  [ -x "$(command -v route)" ] ; then
+            # search for interface with default routing, if multiple default routes exist then select the one with the lowest metric.
+            client_interface=$(route -n | awk '/^0.0.0.0/ { print $5 " " $NF }' | sort | awk '{ print $NF; exit }')
+        else
+            client_interface=$(ip r | grep default | awk '{print $5}')
+        fi
+    fi
+
+    # determine client ip dynamically based on interface provided
+    client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -n 1)
+fi
+
+if [ -z "${listen_ip}" ] ; then
+    # The server component listens on all IP addresses and the proxy component
+    # only listens on the management interface IP address of the compute node.
+    listen_ip=0.0.0.0
+fi
+
+touch /tmp/pod-shared/nova-console.conf
+if [ "${console_kind}" == "novnc" ] ; then
+  cat > /tmp/pod-shared/nova-console.conf <<EOF
+[vnc]
+server_proxyclient_address = $client_address
+vncserver_listen = $listen_ip
+EOF
+elif [ "${console_kind}" == "spice" ] ; then
+  cat > /tmp/pod-shared/nova-console.conf <<EOF
+[spice]
+server_proxyclient_address = $client_address
+server_listen = $listen_ip
+EOF
+fi
diff --git a/charts/nova/templates/bin/_nova-console-proxy-init-assets.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy-init-assets.sh.tpl
new file mode 100644
index 0000000..84652eb
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-proxy-init-assets.sh.tpl
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+console_kind="{{- .Values.console.console_kind -}}"
+if [ "${console_kind}" == "novnc" ] ; then
+    cp -vaRf /usr/share/novnc/* /tmp/usr/share/novnc/
+elif [ "${console_kind}" == "spice" ] ; then
+    cp -vaRf /usr/share/spice-html5/* /tmp/usr/share/spice-html5/
+fi
diff --git a/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
new file mode 100644
index 0000000..6218d29
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+console_kind="{{- .Values.console.console_kind -}}"
+
+if [ "${console_kind}" == "novnc" ] ; then
+    client_address="{{- .Values.conf.nova.vnc.vncserver_proxyclient_address -}}"
+    client_interface="{{- .Values.console.novnc.vncproxy.vncserver_proxyclient_interface -}}"
+    listen_ip="{{- .Values.conf.nova.vnc.vncserver_listen -}}"
+elif [ "${console_kind}" == "spice" ] ; then
+    client_address="{{- .Values.conf.nova.spice.server_proxyclient_address -}}"
+    client_interface="{{- .Values.console.spice.proxy.server_proxyclient_interface -}}"
+    listen_ip="{{- .Values.conf.nova.spice.server_listen -}}"
+fi
+
+if [ -z "${client_address}" ] ; then
+    if [ -z "${client_interface}" ] ; then
+        if  [ -x "$(command -v route)" ] ; then
+            # search for interface with default routing, if multiple default routes exist then select the one with the lowest metric.
+            client_interface=$(route -n | awk '/^0.0.0.0/ { print $5 " " $NF }' | sort | awk '{ print $NF; exit }')
+        else
+            client_interface=$(ip r | grep default | awk '{print $5}')
+        fi
+    fi
+
+    # determine client ip dynamically based on interface provided
+    client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -n 1)
+fi
+
+if [ -z "${listen_ip}" ] ; then
+    listen_ip=$client_address
+fi
+
+if [ "${console_kind}" == "novnc" ] ; then
+cat <<EOF>/tmp/pod-shared/nova-vnc.ini
+[vnc]
+vncserver_proxyclient_address = $client_address
+vncserver_listen = $listen_ip
+EOF
+elif [ "${console_kind}" == "spice" ] ; then
+cat <<EOF>/tmp/pod-shared/nova-spice.ini
+[spice]
+server_proxyclient_address = $client_address
+server_listen = $listen_ip
+EOF
+fi
diff --git a/charts/nova/templates/bin/_nova-console-proxy.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy.sh.tpl
new file mode 100644
index 0000000..253a053
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-proxy.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+
+console_kind="{{- .Values.console.console_kind -}}"
+if [ "${console_kind}" == "novnc" ] ; then
+    exec nova-novncproxy \
+        --config-file /etc/nova/nova.conf \
+        --config-file /tmp/pod-shared/nova-vnc.ini
+elif [ "${console_kind}" == "spice" ] ; then
+    exec nova-spicehtml5proxy\
+        --config-file /etc/nova/nova.conf \
+        --config-file /tmp/pod-shared/nova-spice.ini
+fi
\ No newline at end of file
diff --git a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl b/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
new file mode 100644
index 0000000..97c4195
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec nova-consoleauth \
+      --config-file /etc/nova/nova.conf
diff --git a/charts/nova/templates/bin/_nova-placement-api.sh.tpl b/charts/nova/templates/bin/_nova-placement-api.sh.tpl
new file mode 100644
index 0000000..762af44
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-placement-api.sh.tpl
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+
+  cp -a $(type -p nova-placement-api) /var/www/cgi-bin/nova/
+
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    # The directory below has to be created due to the fact that
+    # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi
+    if [ ! -d ${APACHE_RUN_DIR} ]; then
+      mkdir -p ${APACHE_RUN_DIR}
+    fi
+  fi
+
+  # Start Apache2
+  {{- if .Values.conf.software.apache2.a2enmod }}
+    {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.conf.software.apache2.a2dismod }}
+    {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+    {{- end }}
+  {{- end }}
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+  if [ -f /etc/apache2/envvars ]; then
+    source /etc/apache2/envvars
+  fi
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/nova/templates/bin/_nova-scheduler.sh.tpl b/charts/nova/templates/bin/_nova-scheduler.sh.tpl
new file mode 100644
index 0000000..dc00037
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-scheduler.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+exec nova-scheduler \
+      --config-file /etc/nova/nova.conf
diff --git a/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl b/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl
new file mode 100644
index 0000000..2242757
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+# If any non-compute service is down, then sleep for 2 times the report_interval
+# to confirm service is still down.
+DISABLED_SVC="$(openstack compute service list -f value | grep -v 'nova-compute' | grep 'down' || true)"
+if [ ! -z "${DISABLED_SVC}" ]; then
+  sleep {{ .Values.jobs.service_cleaner.sleep_time }}
+fi
+
+NOVA_SERVICES_TO_CLEAN="$(openstack compute service list -f value -c Binary | sort | uniq | grep -v '^nova-compute$')"
+for NOVA_SERVICE in ${NOVA_SERVICES_TO_CLEAN}; do
+  DEAD_SERVICE_IDS=$(openstack compute service list --service ${NOVA_SERVICE} -f json | jq -r '.[] | select(.State == "down") | .ID')
+  for SERVICE_ID in ${DEAD_SERVICE_IDS}; do
+    openstack compute service delete "${SERVICE_ID}"
+  done
+done
diff --git a/charts/nova/templates/bin/_ssh-init.sh.tpl b/charts/nova/templates/bin/_ssh-init.sh.tpl
new file mode 100644
index 0000000..9032933
--- /dev/null
+++ b/charts/nova/templates/bin/_ssh-init.sh.tpl
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
+
+mkdir -p ${NOVA_USER_HOME}/.ssh
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
+
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
+Host *
+  StrictHostKeyChecking no
+  UserKnownHostsFile /dev/null
+  port $SSH_PORT
+  IdentitiesOnly yes
+EOF
+
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
diff --git a/charts/nova/templates/bin/_ssh-start.sh.tpl b/charts/nova/templates/bin/_ssh-start.sh.tpl
new file mode 100644
index 0000000..abbf9f0
--- /dev/null
+++ b/charts/nova/templates/bin/_ssh-start.sh.tpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+IFS=','
+for KEY_TYPE in $KEY_TYPES; do
+    KEY_PATH=/etc/ssh/ssh_host_${KEY_TYPE}_key
+    if [[ ! -f "${KEY_PATH}" ]]; then
+        ssh-keygen -q -t ${KEY_TYPE} -f ${KEY_PATH} -N ""
+    fi
+done
+IFS=''
+
+subnet_address="{{- .Values.network.ssh.from_subnet -}}"
+cat > /tmp/sshd_config_extend <<EOF
+PasswordAuthentication no
+Match Address $subnet_address
+    PermitRootLogin without-password
+EOF
+cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config
+
+rm /tmp/sshd_config_extend
+
+exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT
diff --git a/charts/nova/templates/bin/_wait-for-computes-init.sh.tpl b/charts/nova/templates/bin/_wait-for-computes-init.sh.tpl
new file mode 100644
index 0000000..ef60bf6
--- /dev/null
+++ b/charts/nova/templates/bin/_wait-for-computes-init.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{ .Values.bootstrap.wait_for_computes.scripts.init_script | default "echo 'No wait-for-compute script configured'" }}
diff --git a/charts/nova/templates/certificates.yaml b/charts/nova/templates/certificates.yaml
new file mode 100644
index 0000000..3bf6c8d
--- /dev/null
+++ b/charts/nova/templates/certificates.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- if .Values.manifests.deployment_novncproxy }}
+{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
+{{- if .Values.manifests.deployment_placement }}
+{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
+{{  dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- if .Values.manifests.deployment_spiceproxy }}
+{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/templates/configmap-bin.yaml b/charts/nova/templates/configmap-bin.yaml
new file mode 100644
index 0000000..141130a
--- /dev/null
+++ b/charts/nova/templates/configmap-bin.yaml
@@ -0,0 +1,114 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nova-bin
+data:
+{{- if .Values.conf.enable_iscsi }}
+  iscsiadm: |
+{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  multipath: |
+{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  multipathd: |
+{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+{{- if .Values.conf.ceph.enabled }}
+  ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.manifests.cron_job_archive_deleted_rows }}
+  archive-deleted-rows.sh: |
+{{ tuple "bin/_db-archive-deleted-row.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  health-probe.py: |
+{{ tuple "bin/_health-probe.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-api.sh: |
+{{ tuple "bin/_nova-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-api-metadata.sh: |
+{{ tuple "bin/_nova-api-metadata.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-api-metadata-init.sh: |
+{{ tuple "bin/_nova-api-metadata-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-placement-api.sh: |
+{{ tuple "bin/_nova-placement-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-compute.sh: |
+{{ tuple "bin/_nova-compute.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-compute-init.sh: |
+{{ tuple "bin/_nova-compute-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-compute-ironic.sh: |
+{{ tuple "bin/_nova-compute-ironic.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-conductor.sh: |
+{{ tuple "bin/_nova-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-consoleauth.sh: |
+{{ tuple "bin/_nova-consoleauth.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-scheduler.sh: |
+{{ tuple "bin/_nova-scheduler.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  fake-iptables.sh: |
+{{ tuple "bin/_fake-iptables.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-console-compute-init.sh: |
+{{ tuple "bin/_nova-console-compute-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-console-proxy.sh: |
+{{ tuple "bin/_nova-console-proxy.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-console-proxy-init.sh: |
+{{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-console-proxy-init-assets.sh: |
+{{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ssh-init.sh: |
+{{ tuple "bin/_ssh-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ssh-start.sh: |
+{{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  cell-setup.sh: |
+{{ tuple "bin/_cell-setup.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  cell-setup-init.sh: |
+{{ tuple "bin/_cell-setup-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  nova-service-cleaner.sh: |
+{{ tuple "bin/_nova-service-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+  wait-for-computes-init.sh: |
+{{ tuple "bin/_wait-for-computes-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+  tf-plugin.pth: |
+    /opt/plugin/site-packages
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/configmap-etc.yaml b/charts/nova/templates/configmap-etc.yaml
new file mode 100644
index 0000000..c92fd93
--- /dev/null
+++ b/charts/nova/templates/configmap-etc.yaml
@@ -0,0 +1,294 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "nova.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "region_name" .Values.endpoints.identity.auth.nova.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "project_name" .Values.endpoints.identity.auth.nova.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "username" .Values.endpoints.identity.auth.nova.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "password" .Values.endpoints.identity.auth.nova.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if .Values.conf.nova.service_user.send_service_user_token -}}
+
+{{- if empty .Values.conf.nova.service_user.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.region_name -}}
+{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.nova.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.project_name -}}
+{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.nova.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.username -}}
+{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.nova.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.password -}}
+{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.nova.password -}}
+{{- end -}}
+
+{{- end -}}
+
+{{- if empty .Values.conf.nova.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.api_database.connection -}}
+{{- $connection := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.api_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.api_database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.cell0_database.connection -}}
+{{- $connection := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.cell0_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.cell0_database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "nova" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.nova.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.glance.api_servers -}}
+{{- $_ := tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.glance "api_servers" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.url -}}
+{{- $_ := tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.neutron "url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.neutron "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.region_name -}}
+{{- $_ := set .Values.conf.nova.neutron "region_name" .Values.endpoints.identity.auth.neutron.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.project_name -}}
+{{- $_ := set .Values.conf.nova.neutron "project_name" .Values.endpoints.identity.auth.neutron.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.neutron "project_domain_name" .Values.endpoints.identity.auth.neutron.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.neutron "user_domain_name" .Values.endpoints.identity.auth.neutron.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.username -}}
+{{- $_ := set .Values.conf.nova.neutron "username" .Values.endpoints.identity.auth.neutron.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.password -}}
+{{- $_ := set .Values.conf.nova.neutron "password" .Values.endpoints.identity.auth.neutron.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.cache.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.cache "memcache_servers" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.nova.DEFAULT.metadata_host) .Values.endpoints.compute_metadata.ip.ingress -}}
+{{- $_ := set .Values.conf.nova.DEFAULT "metadata_host" .Values.endpoints.compute_metadata.ip.ingress -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.DEFAULT.metadata_port -}}
+{{- $_ := tuple "compute_metadata" "public" "metadata" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "metadata_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.placement.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.placement "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.placement.region_name -}}
+{{- $_ := set .Values.conf.nova.placement "region_name" .Values.endpoints.identity.auth.placement.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.project_name -}}
+{{- $_ := set .Values.conf.nova.placement "project_name" .Values.endpoints.identity.auth.placement.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.placement "project_domain_name" .Values.endpoints.identity.auth.placement.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.placement "user_domain_name" .Values.endpoints.identity.auth.placement.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.username -}}
+{{- $_ := set .Values.conf.nova.placement "username" .Values.endpoints.identity.auth.placement.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.password -}}
+{{- $_ := set .Values.conf.nova.placement "password" .Values.endpoints.identity.auth.placement.password -}}
+{{- end -}}
+
+{{- if eq .Values.console.console_kind "novnc"}}
+{{- $_ := "true" | set .Values.conf.nova.vnc "enabled" -}}
+{{- if empty .Values.conf.nova.vnc.novncproxy_base_url -}}
+{{- $_ := tuple "compute_novnc_proxy" "public" "novnc_proxy" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.vnc "novncproxy_base_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.vnc.novncproxy_port -}}
+{{- $_ := tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.vnc "novncproxy_port" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if eq .Values.console.console_kind "spice"}}
+{{- $_ := "false" | set .Values.conf.nova.vnc "enabled" -}}
+{{- $_ := "true" | set .Values.conf.nova.spice "enabled" -}}
+{{- if empty .Values.conf.nova.spice.html5proxy_base_url -}}
+{{- $_ := tuple "compute_spice_proxy" "public" "spice_proxy" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.spice "html5proxy_base_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.spice.html5proxy_port -}}
+{{- $_ := tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.spice "html5proxy_port" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.api_endpoint -}}
+{{- $_ := tuple "baremetal" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.ironic "api_endpoint" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.ironic "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.region_name -}}
+{{- $_ := set .Values.conf.nova.ironic "region_name" .Values.endpoints.identity.auth.ironic.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.project_name -}}
+{{- $_ := set .Values.conf.nova.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.username -}}
+{{- $_ := set .Values.conf.nova.ironic "username" .Values.endpoints.identity.auth.ironic.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.password -}}
+{{- $_ := set .Values.conf.nova.ironic "password" .Values.endpoints.identity.auth.ironic.password -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.auth_type -}}
+{{- $_ := set .Values.conf.nova.ironic "auth_type" .Values.endpoints.identity.auth.ironic.auth_type -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.auth_version -}}
+{{- $_ := set .Values.conf.nova.ironic "auth_version" .Values.endpoints.identity.auth.ironic.auth_version -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.memcache_secret_key -}}
+{{- $_ := (default (randAlphaNum 64) .Values.endpoints.oslo_cache.auth.memcache_secret_key) | set .Values.conf.nova.ironic "memcache_secret_key" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.ironic "memcache_servers" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.DEFAULT.osapi_compute_listen_port -}}
+{{- $_ := tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "osapi_compute_listen_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+
+{{ $__nova_compute := dict }}
+{{ $_ := set $__nova_compute "config" .Values.conf.nova  }}
+{{ range .Values.conf.nova_compute_redactions }}
+{{   $_ := set $__nova_compute "config" (omit $__nova_compute.config .) }}
+{{ end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $configMapName }}
+type: Opaque
+data:
+  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+  api-paste.ini: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+  nova_sudoers: {{ $envAll.Values.conf.nova_sudoers | b64enc }}
+  rootwrap.conf: {{ .Values.conf.rootwrap | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-"  $key }}
+  {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+  nova.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova | b64enc }}
+  nova-compute.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $__nova_compute.config | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+  nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
+{{- if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_metadata "key" "wsgi-metadata.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- if .Values.conf.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.manifests.configmap_etc }}
+{{- list "nova-etc" . | include "nova.configmap.etc" }}
+{{- end }}
diff --git a/charts/nova/templates/cron-job-archive-deleted-rows.yaml b/charts/nova/templates/cron-job-archive-deleted-rows.yaml
new file mode 100644
index 0000000..7baa330
--- /dev/null
+++ b/charts/nova/templates/cron-job-archive-deleted-rows.yaml
@@ -0,0 +1,85 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_archive_deleted_rows }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-archive-deleted-rows-cron" }}
+{{ tuple $envAll "archive_deleted_rows" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: nova-archive-deleted-rows
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.archive_deleted_rows.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.archive_deleted_rows.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.archive_deleted_rows.history.failed }}
+  {{- if .Values.jobs.archive_deleted_rows.starting_deadline }}
+  startingDeadlineSeconds: {{ .Values.jobs.archive_deleted_rows.starting_deadline }}
+  {{- end }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "archive-deleted-rows" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "nova" "archive-deleted-rows" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "archive_deleted_rows" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          initContainers:
+{{ tuple $envAll "archive-deleted-rows" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          containers:
+            - name: nova-archive-deleted-rows
+{{ tuple $envAll "nova_archive_deleted_rows" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.archive_deleted_rows | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "archive_deleted_rows" "container" "nova_archive_deleted_rows" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+              command:
+                - /tmp/archive-deleted-rows.sh
+              volumeMounts:
+                - name: pod-tmp
+                  mountPath: /tmp
+                - name: archive-deleted-rows-conf
+                  mountPath: /etc/nova/nova.conf
+                  subPath: nova.conf
+                  readOnly: true
+                - name: archive-deleted-rows-conf
+                  mountPath: /etc/nova/logging.conf
+                  subPath: logging.conf
+                  readOnly: true
+                - name: archive-deleted-rows
+                  mountPath: /tmp/archive-deleted-rows.sh
+                  readOnly: true
+                  subPath: archive-deleted-rows.sh
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: archive-deleted-rows
+              configMap:
+                name: nova-bin
+                defaultMode: 0555
+            - name: archive-deleted-rows-conf
+              secret:
+                secretName: nova-etc
+{{- end }}
diff --git a/charts/nova/templates/cron-job-cell-setup.yaml b/charts/nova/templates/cron-job-cell-setup.yaml
new file mode 100644
index 0000000..18b661a
--- /dev/null
+++ b/charts/nova/templates/cron-job-cell-setup.yaml
@@ -0,0 +1,97 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_cell_setup }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-cell-setup-cron" }}
+{{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: nova-cell-setup
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.cell_setup.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.cell_setup.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.cell_setup.history.failed }}
+  {{- if .Values.jobs.cell_setup.starting_deadline }}
+  startingDeadlineSeconds: {{ .Values.jobs.cell_setup.starting_deadline }}
+  {{- end }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cell_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          initContainers:
+{{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          containers:
+            - name: nova-cell-setup
+{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+              command:
+                - /tmp/cell-setup.sh
+              volumeMounts:
+                - name: pod-tmp
+                  mountPath: /tmp
+                - name: nova-bin
+                  mountPath: /tmp/cell-setup.sh
+                  subPath: cell-setup.sh
+                  readOnly: true
+                - name: etcnova
+                  mountPath: /etc/nova
+                - name: nova-etc
+                  mountPath: /etc/nova/nova.conf
+                  subPath: nova.conf
+                  readOnly: true
+                {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+                - name: nova-etc
+                  mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+                  subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+                  readOnly: true
+                {{- end }}
+                - name: nova-etc
+                  mountPath: /etc/nova/policy.yaml
+                  subPath: policy.yaml
+                  readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etcnova
+              emptyDir: {}
+            - name: nova-etc
+              secret:
+                secretName: nova-etc
+                defaultMode: 0444
+            - name: nova-bin
+              configMap:
+                name: nova-bin
+                defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- end }}
diff --git a/charts/nova/templates/cron-job-service-cleaner.yaml b/charts/nova/templates/cron-job-service-cleaner.yaml
new file mode 100644
index 0000000..bbe3fab
--- /dev/null
+++ b/charts/nova/templates/cron-job-service-cleaner.yaml
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_service_cleaner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-service-cleaner" }}
+{{ tuple $envAll "service_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: nova-service-cleaner
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.service_cleaner.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.service_cleaner.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.service_cleaner.history.failed }}
+  {{- if .Values.jobs.service_cleaner.starting_deadline }}
+  startingDeadlineSeconds: {{ .Values.jobs.service_cleaner.starting_deadline }}
+  {{- end }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "service-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "nova" "service-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "service_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          initContainers:
+{{ tuple $envAll "service_cleaner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          containers:
+            - name: nova-service-cleaner
+{{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "service_cleaner" "container" "nova_service_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+              env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
+{{- end }}
+              command:
+                - /tmp/nova-service-cleaner.sh
+              volumeMounts:
+                - name: pod-tmp
+                  mountPath: /tmp
+                - name: nova-bin
+                  mountPath: /tmp/nova-service-cleaner.sh
+                  subPath: nova-service-cleaner.sh
+                  readOnly: true
+                - name: etcnova
+                  mountPath: /etc/nova
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etcnova
+              emptyDir: {}
+            - name: nova-etc
+              secret:
+                secretName: nova-etc
+                defaultMode: 0444
+            - name: nova-bin
+              configMap:
+                name: nova-bin
+                defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- end }}
diff --git a/charts/nova/templates/daemonset-compute.yaml b/charts/nova/templates/daemonset-compute.yaml
new file mode 100644
index 0000000..e600e58
--- /dev/null
+++ b/charts/nova/templates/daemonset-compute.yaml
@@ -0,0 +1,565 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaComputeLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - compute
+    - --liveness-probe
+    {{- if .Values.pod.use_fqdn.compute }}
+    - --use-fqdn
+    {{- end }}
+{{- end }}
+
+{{- define "novaComputeReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - compute
+    {{- if .Values.pod.use_fqdn.compute }}
+    - --use-fqdn
+    {{- end }}
+{{- end }}
+
+{{- define "nova.compute.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_nova_compute := .Values.pod.mounts.nova_compute.nova_compute }}
+{{- $mounts_nova_compute_init := .Values.pod.mounts.nova_compute.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nova-compute
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute" "init" "nova-compute-init" "nova-compute-vnc-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }}
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_nova_compute_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: nova-compute-init
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: NOVA_USER_UID
+              value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
+          command:
+            - /tmp/nova-compute-init.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-compute-init.sh
+              subPath: nova-compute-init.sh
+              readOnly: true
+            - name: varlibnova
+              mountPath: /var/lib/nova
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{- if .Values.conf.ceph.enabled }}
+        - name: ceph-perms
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "ceph_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - "nova:"
+            - /etc/ceph
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{- if empty .Values.conf.ceph.cinder.keyring }}
+        - name: ceph-admin-keyring-placement
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: nova-bin
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{ end }}
+        - name: ceph-keyring-placement
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: CEPH_CINDER_USER
+              value: "{{ .Values.conf.ceph.cinder.user }}"
+            {{- if .Values.conf.ceph.cinder.keyring }}
+            - name: CEPH_CINDER_KEYRING
+              value: "{{ .Values.conf.ceph.cinder.keyring }}"
+            {{ end }}
+            - name: LIBVIRT_CEPH_SECRET_UUID
+              value: "{{ .Values.conf.ceph.secret_uuid }}"
+          command:
+            - /tmp/ceph-keyring.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: nova-bin
+              mountPath: /tmp/ceph-keyring.sh
+              subPath: ceph-keyring.sh
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf.template
+              subPath: ceph.conf
+              readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{ end }}
+        {{- if eq .Values.console.console_kind "novnc"}}
+        - name: nova-compute-vnc-init
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_vnc_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-console-compute-init.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-compute-init.sh
+              subPath: nova-console-compute-init.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{ end }}
+        {{- if eq .Values.console.console_kind "spice"}}
+        - name: nova-compute-spice-init
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_spice_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-console-compute-init.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-compute-init.sh
+              subPath: nova-console-compute-init.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{ end }}
+        {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+        - name: tungstenfabric-compute-init
+          image: {{ .Values.images.tags.tf_compute_init }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "tungstenfabric_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          volumeMounts:
+            - name: tf-plugin-shared
+              mountPath: /opt/plugin
+            - name: tf-plugin-bin
+              mountPath: /opt/plugin/bin
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{- end }}
+        {{- if .Values.network.ssh.enabled }}
+        - name: nova-compute-ssh-init
+{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          terminationMessagePath: /var/log/termination-log
+          env:
+            - name: SSH_PORT
+              value: {{ .Values.network.ssh.port | quote }}
+            - name: NOVA_USER_UID
+              value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
+          command:
+            - /tmp/ssh-init.sh
+          volumeMounts:
+            - name: varlibnova
+              mountPath: /var/lib/nova
+            - name: nova-ssh
+              mountPath: /tmp/nova-ssh/authorized_keys
+              subPath: public-key
+            - name: nova-ssh
+              mountPath: /tmp/nova-ssh/id_rsa
+              subPath: private-key
+            - name: nova-bin
+              mountPath: /tmp/ssh-init.sh
+              subPath: ssh-init.sh
+              readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{- end }}
+      containers:
+        - name: nova-compute
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+          {{- if .Values.conf.ceph.enabled }}
+            - name: CEPH_CINDER_USER
+              value: "{{ .Values.conf.ceph.cinder.user }}"
+            {{- if .Values.conf.ceph.cinder.keyring }}
+            - name: CEPH_CINDER_KEYRING
+              value: "{{ .Values.conf.ceph.cinder.keyring }}"
+            {{ end }}
+            - name: LIBVIRT_CEPH_SECRET_UUID
+              value: "{{ .Values.conf.ceph.secret_uuid }}"
+          {{ end }}
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{- if .Values.manifests.certificates }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/nova/certs/ca.crt"
+{{- end }}
+{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/nova-compute.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: dev-pts
+              mountPath: /dev/pts
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-compute.sh
+              subPath: nova-compute.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova-compute.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: nova-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_nova_sudoers
+              subPath: nova_sudoers
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "compute" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/nova/rootwrap.d/%s.filters" $filePrefix }}
+            - name: nova-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            {{- if .Values.conf.ceph.enabled }}
+            - name: etcceph
+              mountPath: /etc/ceph
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            {{- if and ( empty .Values.conf.ceph.cinder.keyring ) ( empty .Values.conf.ceph.admin_keyring )}}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+            {{ end }}
+            - mountPath: /lib/modules
+              name: libmodules
+              readOnly: true
+            - name: varlibnova
+              mountPath: /var/lib/nova
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            - name: varliblibvirt
+              mountPath: /var/lib/libvirt
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            - name: run
+              mountPath: /run
+            - name: cgroup
+              mountPath: /sys/fs/cgroup
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: machine-id
+              mountPath: /etc/machine-id
+              readOnly: true
+            {{- if .Values.conf.enable_iscsi }}
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              mountPropagation: HostToContainer
+            - name: usrlocalsbin
+              mountPath: /usr/local/sbin
+            - name: etciscsi
+              mountPath: /etc/iscsi
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: dev
+              mountPath: /dev
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            - name: nova-bin
+              mountPath: /usr/local/sbin/iscsiadm
+              subPath: iscsiadm
+            - name: runlock
+              mountPath: /run/lock
+            - name: nova-bin
+              mountPath: /usr/local/sbin/multipath
+              subPath: multipath
+            - name: nova-bin
+              mountPath: /usr/local/sbin/multipathd
+              subPath: multipathd
+            - name: etcmultipath
+              mountPath: /etc/multipath
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+            - name: sysblock
+              mountPath: /sys/block
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: HostToContainer
+              {{- end }}
+            {{- end }}
+            {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+            - name: tf-plugin-shared
+              mountPath: /opt/plugin
+              readOnly: true
+            - name: tf-plugin-bin
+              mountPath: /usr/sbin
+              readOnly: true
+            - name: nova-bin
+              mountPath: /usr/local/lib/python2.7/site-packages/tf-plugin.pth
+              subPath: tf-plugin.pth
+              readOnly: true
+            - name: nova-bin
+              mountPath: /var/lib/openstack/lib/python2.7/site-packages/tf-plugin.pth
+              subPath: tf-plugin.pth
+              readOnly: true
+            - name: nova-bin
+              mountPath: /var/lib/openstack/lib/python3.6/site-packages/tf-plugin.pth
+              subPath: tf-plugin.pth
+              readOnly: true
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{- if .Values.network.ssh.enabled }}
+        - name: nova-compute-ssh
+{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+            - name: KEY_TYPES
+              value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
+            - name: SSH_PORT
+              value: {{ .Values.network.ssh.port | quote }}
+{{- if .Values.manifests.certificates }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/nova/certs/ca.crt"
+{{- end }}
+          ports:
+            - containerPort: {{ .Values.network.ssh.port }}
+          command:
+            - /tmp/ssh-start.sh
+          terminationMessagePath: /var/log/termination-log
+          volumeMounts:
+            - name: varlibnova
+              mountPath: /var/lib/nova
+            - name: nova-bin
+              mountPath: /tmp/ssh-start.sh
+              subPath: ssh-start.sh
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+        {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        {{- if .Values.network.ssh.enabled }}
+        - name: nova-ssh
+          secret:
+            secretName: nova-ssh
+            defaultMode: 0644
+        {{ end }}
+        {{- if .Values.conf.ceph.enabled }}
+        - name: etcceph
+          hostPath:
+            path: /var/lib/openstack-helm/compute/nova
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        {{- if and ( empty .Values.conf.ceph.cinder.keyring ) ( empty .Values.conf.ceph.admin_keyring ) }}
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.ceph_client.user_secret_name }}
+        {{ end }}
+        {{ end }}
+        - name: dev-pts
+          hostPath:
+            path: /dev/pts
+        - name: libmodules
+          hostPath:
+            path: /lib/modules
+        - name: varlibnova
+          hostPath:
+            path: /var/lib/nova
+        - name: varliblibvirt
+          hostPath:
+            path: /var/lib/libvirt
+        - name: run
+          hostPath:
+            path: /run
+        - name: cgroup
+          hostPath:
+            path: /sys/fs/cgroup
+        - name: pod-shared
+          emptyDir: {}
+        - name: machine-id
+          hostPath:
+            path: /etc/machine-id
+        {{- if .Values.conf.enable_iscsi }}
+        - name: host-rootfs
+          hostPath:
+            path: /
+        - name: runlock
+          hostPath:
+            path: /run/lock
+        - name: etciscsi
+          hostPath:
+            path: /etc/iscsi
+        - name: dev
+          hostPath:
+            path: /dev
+        - name: usrlocalsbin
+          emptyDir: {}
+        - name: etcmultipath
+          hostPath:
+            path: /etc/multipath
+        - name: sysblock
+          hostPath:
+            path: /sys/block
+
+        {{- end }}
+        {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+        - name: tf-plugin-shared
+          emptyDir: {}
+        - name: tf-plugin-bin
+          emptyDir: {}
+        {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_compute }}
+{{- $envAll := . }}
+{{- $daemonset := "compute" }}
+{{- $configMapName := "nova-etc" }}
+{{- $serviceAccountName := "nova-compute" }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "compute" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "nova.compute.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "nova.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-api-metadata.yaml b/charts/nova/templates/deployment-api-metadata.yaml
new file mode 100644
index 0000000..c663a23
--- /dev/null
+++ b/charts/nova/templates/deployment-api-metadata.yaml
@@ -0,0 +1,204 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaApiMetadataLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ .Values.network.metadata.port }}
+{{- end }}
+
+{{- define "novaApiMetadataReadinessProbeTemplate" }}
+tcpSocket:
+  port: {{ .Values.network.metadata.port }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_api_metadata }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_api_metadata := .Values.pod.mounts.nova_api_metadata.nova_api_metadata }}
+{{- $mounts_nova_api_metadata_init := .Values.pod.mounts.nova_api_metadata.init_container }}
+
+{{- $serviceAccountName := "nova-api-metadata" }}
+{{ tuple $envAll "api_metadata" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-api-metadata
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api_metadata }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-api-metadata" "containerNames" (list "nova-api-metadata-init" "nova-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api_metadata.node_selector_key }}: {{ .Values.labels.api_metadata.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.metadata.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api_metadata" $mounts_nova_api_metadata_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: nova-api-metadata-init
+{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_api_metadata_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-api-metadata-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-api-metadata-init.sh
+              subPath: nova-api-metadata-init.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+      containers:
+        - name: nova-api
+{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-api-metadata.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/nova-api-metadata.sh
+                  - stop
+          ports:
+            - containerPort: {{ .Values.network.metadata.port }}
+{{ dict "envAll" $envAll "component" "api-metadata" "container" "default" "type" "liveness" "probeTemplate" (include "novaApiMetadataLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "api-metadata" "container" "default" "type" "readiness" "probeTemplate" (include "novaApiMetadataReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-api-metadata.sh
+              subPath: nova-api-metadata.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /sbin/iptables
+              subPath: fake-iptables.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /sbin/iptables-restore
+              subPath: fake-iptables.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /sbin/iptables-save
+              subPath: fake-iptables.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            - name: nova-etc
+              # NOTE (Portdirect): We mount here to override Kollas
+              # custom sudoers file when using Kolla images, this
+              # location will also work fine for other images.
+              mountPath: /etc/sudoers.d/kolla_nova_sudoers
+              subPath: nova_sudoers
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "metadata" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/nova/rootwrap.d/%s.filters" $filePrefix }}
+            - name: nova-etc
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+              readOnly: true
+            {{- if .Values.manifests.certificates }}
+            - name: wsgi-nova
+              mountPath: /var/www/cgi-bin/nova
+            - name: nova-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
+              subPath: wsgi-metadata.conf
+              readOnly: true
+            - name: nova-etc
+              mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+              subPath: mpm_event.conf
+              readOnly: true
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        {{- if .Values.manifests.certificates }}
+        - name: wsgi-nova
+          emptyDir: {}
+        {{- end }}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+        - name: pod-shared
+          emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-api-osapi.yaml b/charts/nova/templates/deployment-api-osapi.yaml
new file mode 100644
index 0000000..41c1faf
--- /dev/null
+++ b/charts/nova/templates/deployment-api-osapi.yaml
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaApiOsapiLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaApiOsapiReadinessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_api_osapi }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_api_osapi := .Values.pod.mounts.nova_api_osapi.nova_api_osapi }}
+{{- $mounts_nova_api_osapi_init := .Values.pod.mounts.nova_api_osapi.init_container }}
+
+{{- $serviceAccountName := "nova-api-osapi" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-api-osapi
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.osapi }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-api-osapi" "containerNames" (list "nova-osapi" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.osapi.node_selector_key }}: {{ .Values.labels.osapi.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.osapi.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_nova_api_osapi_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nova-osapi
+{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_osapi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/nova-api.sh
+                  - stop
+          ports:
+            - name: n-api
+              containerPort: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{ dict "envAll" $envAll "component" "api-osapi" "container" "default" "type" "liveness" "probeTemplate" (include "novaApiOsapiLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "api-osapi" "container" "default" "type" "readiness" "probeTemplate" (include "novaApiOsapiReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: pod-var-nova
+              mountPath: /var/lib/nova
+            - name: nova-bin
+              mountPath: /tmp/nova-api.sh
+              subPath: nova-api.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
+            {{- if .Values.manifests.certificates }}
+            - name: wsgi-nova
+              mountPath: /var/www/cgi-bin/nova
+            - name: nova-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
+              subPath: wsgi-api.conf
+              readOnly: true
+            - name: nova-etc
+              mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+              subPath: mpm_event.conf
+              readOnly: true
+            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        {{- if .Values.manifests.certificates }}
+        - name: wsgi-nova
+          emptyDir: {}
+        {{- end }}
+        - name: pod-var-nova
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-conductor.yaml b/charts/nova/templates/deployment-conductor.yaml
new file mode 100644
index 0000000..5335a4c
--- /dev/null
+++ b/charts/nova/templates/deployment-conductor.yaml
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaConductorLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - conductor
+    - --liveness-probe
+{{- end }}
+
+{{- define "novaConductorReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - conductor
+{{- end }}
+
+{{- if .Values.manifests.deployment_conductor }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_conductor := .Values.pod.mounts.nova_conductor.nova_conductor }}
+{{- $mounts_nova_conductor_init := .Values.pod.mounts.nova_conductor.init_container }}
+
+{{- $serviceAccountName := "nova-conductor" }}
+{{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-conductor
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.conductor }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-conductor" "containerNames" (list "nova-conductor" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "conductor" $mounts_nova_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nova-conductor
+{{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_conductor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "conductor" "container" "default" "type" "liveness" "probeTemplate" (include "novaConductorLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "conductor" "container" "default" "type" "readiness" "probeTemplate" (include "novaConductorReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{- if .Values.manifests.certificates }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/nova/certs/ca.crt"
+{{- end }}
+          command:
+            - /tmp/nova-conductor.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-conductor.sh
+              subPath: nova-conductor.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-consoleauth.yaml b/charts/nova/templates/deployment-consoleauth.yaml
new file mode 100644
index 0000000..c4a781f
--- /dev/null
+++ b/charts/nova/templates/deployment-consoleauth.yaml
@@ -0,0 +1,133 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaConsoleauthLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - consoleauth
+    - --liveness-probe
+{{- end }}
+
+{{- define "novaConsoleauthReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - consoleauth
+{{- end }}
+
+{{- if .Values.manifests.deployment_consoleauth }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_consoleauth := .Values.pod.mounts.nova_consoleauth.nova_consoleauth }}
+{{- $mounts_nova_consoleauth_init := .Values.pod.mounts.nova_consoleauth.init_container }}
+
+{{- $serviceAccountName := "nova-consoleauth" }}
+{{ tuple $envAll "consoleauth" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-consoleauth
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.consoleauth }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-consoleauth" "containerNames" (list "nova-consoleauth" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.consoleauth.node_selector_key }}: {{ .Values.labels.consoleauth.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "consoleauth" $mounts_nova_consoleauth_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nova-consoleauth
+{{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_consoleauth" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "consoleauth" "container" "default" "type" "liveness" "probeTemplate" (include "novaConsoleauthLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "consoleauth" "container" "default" "type" "readiness" "probeTemplate" (include "novaConsoleauthReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+          command:
+            - /tmp/nova-consoleauth.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-consoleauth.sh
+              subPath: nova-consoleauth.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-novncproxy.yaml b/charts/nova/templates/deployment-novncproxy.yaml
new file mode 100644
index 0000000..68db32a
--- /dev/null
+++ b/charts/nova/templates/deployment-novncproxy.yaml
@@ -0,0 +1,165 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaNovncproxyLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaNovncproxyReadinessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if and .Values.manifests.deployment_novncproxy ( eq .Values.console.console_kind "novnc" )}}
+{{- $envAll := . }}
+
+{{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }}
+{{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }}
+
+{{- $serviceAccountName := "nova-novncproxy" }}
+{{ tuple $envAll "novncproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-novncproxy
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.novncproxy }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-novncproxy" "containerNames" (list "nova-novncproxy" "nova-novncproxy-init-assets" "nova-novncproxy-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.novncproxy.node_selector_key }}: {{ .Values.labels.novncproxy.node_selector_value }}
+{{- if .Values.pod.useHostNetwork.novncproxy }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      initContainers:
+{{ tuple $envAll "novncproxy" $mounts_nova_novncproxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: nova-novncproxy-init
+{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-console-proxy-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-proxy-init.sh
+              subPath: nova-console-proxy-init.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+        - name: nova-novncproxy-init-assets
+{{ tuple $envAll "nova_novncproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init_assests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-console-proxy-init-assets.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-proxy-init-assets.sh
+              subPath: nova-console-proxy-init-assets.sh
+              readOnly: true
+            - name: pod-usr-share-novnc
+              mountPath: /tmp/usr/share/novnc
+      containers:
+        - name: nova-novncproxy
+{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "novncproxy" "container" "default" "type" "liveness" "probeTemplate" (include "novaNovncproxyLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "novncproxy" "container" "default" "type" "readiness" "probeTemplate" (include "novaNovncproxyReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/nova-console-proxy.sh
+          ports:
+            - name: n-novnc
+              containerPort: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-proxy.sh
+              subPath: nova-console-proxy.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/logging.conf
+              subPath: logging.conf
+              readOnly: true
+            - name: pod-usr-share-novnc
+              mountPath: /usr/share/novnc
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+        - name: pod-usr-share-novnc
+          emptyDir: {}
+        - name: pod-shared
+          emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-placement.yaml b/charts/nova/templates/deployment-placement.yaml
new file mode 100644
index 0000000..1391cd9
--- /dev/null
+++ b/charts/nova/templates/deployment-placement.yaml
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaPlacementLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaPlacementReadinessProbeTemplate" }}
+#NOTE(portdirect): use tcpSocket check as HTTP will return 401
+tcpSocket:
+  port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_placement }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_placement := .Values.pod.mounts.nova_placement.nova_placement }}
+{{- $mounts_nova_placement_init := .Values.pod.mounts.nova_placement.init_container }}
+
+{{- $serviceAccountName := "nova-placement-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-placement-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.placement }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-placement" "containerNames" (list "nova-placement-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.placement.node_selector_key }}: {{ .Values.labels.placement.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.placement.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_nova_placement_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nova-placement-api
+{{ tuple $envAll "nova_placement" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.placement | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-placement-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/nova-placement-api.sh
+                  - stop
+          ports:
+            - name: p-api
+              containerPort: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{ dict "envAll" $envAll "component" "placement" "container" "default" "type" "liveness" "probeTemplate" (include "novaPlacementLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "placement" "container" "default" "type" "readiness" "probeTemplate" (include "novaPlacementReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: wsgi-nova
+              mountPath: /var/www/cgi-bin/nova
+            - name: nova-bin
+              mountPath: /tmp/nova-placement-api.sh
+              subPath: nova-placement-api.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: nova-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-nova-placement.conf
+              subPath: wsgi-nova-placement.conf
+              readOnly: true
+{{- if .Values.conf.security }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+              subPath: security.conf
+              readOnly: true
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: wsgi-nova
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-scheduler.yaml b/charts/nova/templates/deployment-scheduler.yaml
new file mode 100644
index 0000000..b8a465e
--- /dev/null
+++ b/charts/nova/templates/deployment-scheduler.yaml
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaSchedulerLivenessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - scheduler
+    - --liveness-probe
+{{- end }}
+
+{{- define "novaSchedulerReadinessProbeTemplate" }}
+exec:
+  command:
+    - python
+    - /tmp/health-probe.py
+    - --config-file
+    - /etc/nova/nova.conf
+    - --service-queue-name
+    - scheduler
+{{- end }}
+
+{{- if .Values.manifests.deployment_scheduler }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_scheduler := .Values.pod.mounts.nova_scheduler.nova_scheduler }}
+{{- $mounts_nova_scheduler_init := .Values.pod.mounts.nova_scheduler.init_container }}
+
+{{- $serviceAccountName := "nova-scheduler" }}
+{{ tuple $envAll "scheduler" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-scheduler
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.scheduler }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-scheduler" "containerNames" (list "nova-scheduler" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.scheduler.node_selector_key }}: {{ .Values.labels.scheduler.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "scheduler" $mounts_nova_scheduler_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nova-scheduler
+{{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "scheduler" "container" "default" "type" "liveness" "probeTemplate" (include "novaSchedulerLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "scheduler" "container" "default" "type" "readiness" "probeTemplate" (include "novaSchedulerReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          env:
+            - name: RPC_PROBE_TIMEOUT
+              value: "{{ .Values.pod.probes.rpc_timeout }}"
+            - name: RPC_PROBE_RETRIES
+              value: "{{ .Values.pod.probes.rpc_retries }}"
+{{- if .Values.manifests.certificates }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/nova/certs/ca.crt"
+{{- end }}
+          command:
+            - /tmp/nova-scheduler.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-scheduler.sh
+              subPath: nova-scheduler.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /tmp/health-probe.py
+              subPath: health-probe.py
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-spiceproxy.yaml b/charts/nova/templates/deployment-spiceproxy.yaml
new file mode 100644
index 0000000..98046a0
--- /dev/null
+++ b/charts/nova/templates/deployment-spiceproxy.yaml
@@ -0,0 +1,160 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaSpiceproxyLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaSpiceproxyReadynessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if and .Values.manifests.deployment_spiceproxy ( eq .Values.console.console_kind "spice" )}}
+{{- $envAll := . }}
+
+{{- $mounts_nova_spiceproxy := .Values.pod.mounts.nova_spiceproxy.nova_spiceproxy }}
+{{- $mounts_nova_spiceproxy_init := .Values.pod.mounts.nova_spiceproxy.init_spiceproxy }}
+
+{{- $serviceAccountName := "nova-spiceproxy" }}
+{{ tuple $envAll "spiceproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nova-spiceproxy
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.spiceproxy }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.spiceproxy.node_selector_key }}: {{ .Values.labels.spiceproxy.node_selector_value }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+{{ tuple $envAll "spiceproxy" $mounts_nova_spiceproxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: nova-spiceproxy-init
+{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-console-proxy-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-proxy-init.sh
+              subPath: nova-console-proxy-init.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+        - name: nova-spiceproxy-init-assets
+{{ tuple $envAll "nova_spiceproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init_assets" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/nova-console-proxy-init-assets.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-proxy-init-assets.sh
+              subPath: nova-console-proxy-init-assets.sh
+              readOnly: true
+            - name: pod-usr-share-spice-html5
+              mountPath: /tmp/usr/share/spice-html5
+      containers:
+        - name: nova-spiceproxy
+{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "compute-spice-proxy" "container" "default" "type" "liveness" "probeTemplate" (include "novaSpiceproxyLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "compute-spice-proxy" "container" "default" "type" "readiness" "probeTemplate" (include "novaSpiceproxyReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/nova-console-proxy.sh
+          ports:
+            - name: n-spice
+              containerPort: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-console-proxy.sh
+              subPath: nova-console-proxy.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: pod-usr-share-spice-html5
+              mountPath: /usr/share/spice-html5
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+        - name: pod-usr-share-spice-html5
+          emptyDir: {}
+        - name: pod-shared
+          emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-metadata.yaml b/charts/nova/templates/ingress-metadata.yaml
new file mode 100644
index 0000000..36eb864
--- /dev/null
+++ b/charts/nova/templates/ingress-metadata.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
+{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-novncproxy.yaml b/charts/nova/templates/ingress-novncproxy.yaml
new file mode 100644
index 0000000..cad53cf
--- /dev/null
+++ b/charts/nova/templates/ingress-novncproxy.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
+{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-osapi.yaml b/charts/nova/templates/ingress-osapi.yaml
new file mode 100644
index 0000000..b78f80f
--- /dev/null
+++ b/charts/nova/templates/ingress-osapi.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-placement.yaml b/charts/nova/templates/ingress-placement.yaml
new file mode 100644
index 0000000..28b0f0d
--- /dev/null
+++ b/charts/nova/templates/ingress-placement.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/job-bootstrap.yaml b/charts/nova/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..c105f56
--- /dev/null
+++ b/charts/nova/templates/job-bootstrap.yaml
@@ -0,0 +1,140 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $envAll := . }}
+{{- if and $envAll.Values.manifests.job_bootstrap $envAll.Values.bootstrap.enabled }}
+{{- $serviceName := "nova" -}}
+{{- $keystoneUser := $envAll.Values.bootstrap.ks_user -}}
+{{- $configMapBin := printf "%s-%s" $serviceName "bin" -}}
+{{- $configMapEtc := printf "%s-%s" $serviceName "etc" -}}
+{{- $configFile := printf "/etc/%s/%s.conf" $serviceName $serviceName -}}
+{{- $logConfigFile := $envAll.Values.conf.nova.DEFAULT.log_config_append -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $serviceAccountName := printf "%s-%s" $serviceName "bootstrap" -}}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $serviceAccountName | quote }}
+  labels:
+{{ tuple $envAll "nova" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+{{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
+        - name: nova-wait-for-computes-init
+{{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/wait-for-computes-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/wait-for-computes-init.sh
+              subPath: wait-for-computes-init.sh
+              readOnly: true
+{{- end }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: WAIT_PERCENTAGE
+              value: "{{ .Values.bootstrap.wait_for_computes.wait_percentage }}"
+            - name: REMAINING_WAIT
+              value: "{{ .Values.bootstrap.wait_for_computes.remaining_wait }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/nova/templates/job-cell-setup.yaml b/charts/nova/templates/job-cell-setup.yaml
new file mode 100644
index 0000000..cdcdf25
--- /dev/null
+++ b/charts/nova/templates/job-cell-setup.yaml
@@ -0,0 +1,149 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_cell_setup }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-cell-setup" }}
+{{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: nova-cell-setup
+  labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "nova-cell-setup" "containerNames" (list "nova-cell-setup-init" "nova-cell-setup" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
+        - name: nova-wait-for-computes-init
+{{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/wait-for-computes-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/wait-for-computes-init.sh
+              subPath: wait-for-computes-init.sh
+              readOnly: true
+{{- end }}
+        - name: nova-cell-setup-init
+{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/cell-setup-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/cell-setup-init.sh
+              subPath: cell-setup-init.sh
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+      containers:
+        - name: nova-cell-setup
+{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/cell-setup.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/cell-setup.sh
+              subPath: cell-setup.sh
+              readOnly: true
+            - name: etcnova
+              mountPath: /etc/nova
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: etcnova
+          emptyDir: {}
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/nova/templates/job-db-drop.yaml b/charts/nova/templates/job-db-drop.yaml
new file mode 100644
index 0000000..9a6b1a0
--- /dev/null
+++ b/charts/nova/templates/job-db-drop.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "nova" -}}
+{{- $dbSvc := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "api_database" "configDbKey" "connection" -}}
+{{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
+{{- $dbsToDrop := list $dbSvc $dbApi $dbCell }}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbsToDrop" $dbsToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/nova/templates/job-db-init.yaml b/charts/nova/templates/job-db-init.yaml
new file mode 100644
index 0000000..b1ca870
--- /dev/null
+++ b/charts/nova/templates/job-db-init.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "nova" -}}
+{{- $dbSvc := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "api_database" "configDbKey" "connection" -}}
+{{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
+{{- $dbsToInit := list $dbSvc $dbApi $dbCell }}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/nova/templates/job-db-sync.yaml b/charts/nova/templates/job-db-sync.yaml
new file mode 100644
index 0000000..3cd8cac
--- /dev/null
+++ b/charts/nova/templates/job-db-sync.yaml
@@ -0,0 +1,50 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- define "nova.templates._job_db_sync.env_vars" -}}
+{{- $envAll := index . 0 }}
+env:
+  - name: TRANSPORT_URL
+    valueFrom:
+      secretKeyRef:
+        name: {{ $envAll.Values.secrets.oslo_messaging.nova }}
+        key: TRANSPORT_URL
+  - name: DB_CONNECTION
+    valueFrom:
+      secretKeyRef:
+        name: {{ $envAll.Values.secrets.oslo_db.nova }}
+        key: DB_CONNECTION
+  - name: DB_CONNECTION_CELL0
+    valueFrom:
+      secretKeyRef:
+        name: {{ $envAll.Values.secrets.oslo_db_cell0.nova }}
+        key: DB_CONNECTION
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $podEnvVars := include "nova.templates._job_db_sync.env_vars" (tuple .) | toString | fromYaml }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "nova" "podVolMounts" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumeMounts "podVols" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumes "podEnvVars" $podEnvVars.env -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/nova/templates/job-image-repo-sync.yaml b/charts/nova/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..fe488dd
--- /dev/null
+++ b/charts/nova/templates/job-image-repo-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "nova" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-endpoints.yaml b/charts/nova/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..5057ebc
--- /dev/null
+++ b/charts/nova/templates/job-ks-endpoints.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-endpoints.yaml b/charts/nova/templates/job-ks-placement-endpoints.yaml
new file mode 100644
index 0000000..2147f3c
--- /dev/null
+++ b/charts/nova/templates/job-ks-placement-endpoints.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_placement_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-service.yaml b/charts/nova/templates/job-ks-placement-service.yaml
new file mode 100644
index 0000000..c2c8865
--- /dev/null
+++ b/charts/nova/templates/job-ks-placement-service.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_placement_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-user.yaml b/charts/nova/templates/job-ks-placement-user.yaml
new file mode 100644
index 0000000..035c2f0
--- /dev/null
+++ b/charts/nova/templates/job-ks-placement-user.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_placement_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-service.yaml b/charts/nova/templates/job-ks-service.yaml
new file mode 100644
index 0000000..d9eb3b5
--- /dev/null
+++ b/charts/nova/templates/job-ks-service.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-user.yaml b/charts/nova/templates/job-ks-user.yaml
new file mode 100644
index 0000000..e5613cc
--- /dev/null
+++ b/charts/nova/templates/job-ks-user.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/nova/templates/job-rabbit-init.yaml b/charts/nova/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..ffbb270
--- /dev/null
+++ b/charts/nova/templates/job-rabbit-init.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "nova" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/nova/templates/netpol-nova.yaml b/charts/nova/templates/netpol-nova.yaml
new file mode 100644
index 0000000..4939aca
--- /dev/null
+++ b/charts/nova/templates/netpol-nova.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nova" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/nova/templates/netpol-placement.yaml b/charts/nova/templates/netpol-placement.yaml
new file mode 100644
index 0000000..18feb04
--- /dev/null
+++ b/charts/nova/templates/netpol-placement.yaml
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- if .Values.manifests.deployment_placement -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/templates/pdb-metadata.yaml b/charts/nova/templates/pdb-metadata.yaml
new file mode 100644
index 0000000..6fba271
--- /dev/null
+++ b/charts/nova/templates/pdb-metadata.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_metadata }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: nova-api-metadata
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.metadata.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/nova/templates/pdb-osapi.yaml b/charts/nova/templates/pdb-osapi.yaml
new file mode 100644
index 0000000..81971d1
--- /dev/null
+++ b/charts/nova/templates/pdb-osapi.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_osapi }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: nova-api-osapi
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.osapi.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/nova/templates/pdb-placement.yaml b/charts/nova/templates/pdb-placement.yaml
new file mode 100644
index 0000000..db7e1c7
--- /dev/null
+++ b/charts/nova/templates/pdb-placement.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_placement }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: nova-placement-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.placement.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/nova/templates/pod-rally-test.yaml b/charts/nova/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..eabe8b6
--- /dev/null
+++ b/charts/nova/templates/pod-rally-test.yaml
@@ -0,0 +1,110 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.nova_tests.nova_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.nova_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ print $envAll.Release.Name "-test" }}
+  labels:
+{{ tuple $envAll "nova" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "nova-test" "containerNames" (list "init" "nova-test" "nova-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  restartPolicy: Never
+  serviceAccountName: {{ $serviceAccountName }}
+  initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+    - name: nova-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      command:
+        - /tmp/ks-user.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: nova-bin
+          mountPath: /tmp/ks-user.sh
+          subPath: ks-user.sh
+          readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name"  .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_SERVICE_NAME
+          value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: SERVICE_OS_ROLE
+          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+  containers:
+    - name: nova-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates}}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: RALLY_ENV_NAME
+          value: {{.Release.Name}}
+      command:
+        - /tmp/rally-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: nova-etc
+          mountPath: /etc/rally/rally_tests.yaml
+          subPath: rally_tests.yaml
+          readOnly: true
+        - name: nova-bin
+          mountPath: /tmp/rally-test.sh
+          subPath: rally-test.sh
+          readOnly: true
+        - name: rally-db
+          mountPath: /var/lib/rally
+{{ dict "enabled" .Values.manifests.certificates "name"  .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: nova-etc
+      secret:
+        secretName: nova-etc
+        defaultMode: 0444
+    - name: nova-bin
+      configMap:
+        name: nova-bin
+        defaultMode: 0555
+    - name: rally-db
+      emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name"  .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-db-api.yaml b/charts/nova/templates/secret-db-api.yaml
new file mode 100644
index 0000000..baf75b1
--- /dev/null
+++ b/charts/nova/templates/secret-db-api.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db_api }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }}
+{{- $connection := tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-db-cell0.yaml b/charts/nova/templates/secret-db-cell0.yaml
new file mode 100644
index 0000000..100b57f
--- /dev/null
+++ b/charts/nova/templates/secret-db-cell0.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db_cell0 }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db_cell0 $userClass }}
+{{- $connection := tuple "oslo_db_cell0" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-db.yaml b/charts/nova/templates/secret-db.yaml
new file mode 100644
index 0000000..d9cbf8f
--- /dev/null
+++ b/charts/nova/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-ingress-tls.yaml b/charts/nova/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..91ec9fa
--- /dev/null
+++ b/charts/nova/templates/secret-ingress-tls.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" ) }}
+{{- if .Values.manifests.ingress_placement }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "placement" "backendServiceType" "placement" ) }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-keystone-placement.yaml b/charts/nova/templates/secret-keystone-placement.yaml
new file mode 100644
index 0000000..bdce9b5
--- /dev/null
+++ b/charts/nova/templates/secret-keystone-placement.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone_placement }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "placement" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-keystone.yaml b/charts/nova/templates/secret-keystone.yaml
new file mode 100644
index 0000000..beddb30
--- /dev/null
+++ b/charts/nova/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-ssh.yaml b/charts/nova/templates/secret-ssh.yaml
new file mode 100644
index 0000000..4811b2e
--- /dev/null
+++ b/charts/nova/templates/secret-ssh.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "nova.configmap.ssh" }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nova-ssh
+type: Opaque
+data:
+  private-key: {{ .Values.network.ssh.private_key | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.network.ssh.public_key "key" "public-key" "format" "Secret" ) | indent 2 }}
+
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "nova-ssh" . | include "nova.configmap.ssh" }}
+{{- end }}
diff --git a/charts/nova/templates/secret_rabbitmq.yaml b/charts/nova/templates/secret_rabbitmq.yaml
new file mode 100644
index 0000000..b49f84e
--- /dev/null
+++ b/charts/nova/templates/secret_rabbitmq.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+  TRANSPORT_URL: {{ tuple "oslo_messaging" "internal" $userClass "amqp" $envAll | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-metadata.yaml b/charts/nova/templates/service-ingress-metadata.yaml
new file mode 100644
index 0000000..187987d
--- /dev/null
+++ b/charts/nova/templates/service-ingress-metadata.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_metadata .Values.network.metadata.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute_metadata" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-novncproxy.yaml b/charts/nova/templates/service-ingress-novncproxy.yaml
new file mode 100644
index 0000000..caae913
--- /dev/null
+++ b/charts/nova/templates/service-ingress-novncproxy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_novncproxy .Values.network.novncproxy.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute_novnc_proxy" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-osapi.yaml b/charts/nova/templates/service-ingress-osapi.yaml
new file mode 100644
index 0000000..44633e3
--- /dev/null
+++ b/charts/nova/templates/service-ingress-osapi.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_osapi .Values.network.osapi.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-placement.yaml b/charts/nova/templates/service-ingress-placement.yaml
new file mode 100644
index 0000000..5d9e6a6
--- /dev/null
+++ b/charts/nova/templates/service-ingress-placement.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_placement .Values.network.placement.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "placement" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-metadata.yaml b/charts/nova/templates/service-metadata.yaml
new file mode 100644
index 0000000..26eed99
--- /dev/null
+++ b/charts/nova/templates/service-metadata.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_metadata }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "compute_metadata" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: n-meta
+    port: {{ .Values.network.metadata.port }}
+    {{ if .Values.network.metadata.node_port.enabled }}
+    nodePort: {{ .Values.network.metadata.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.metadata.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.metadata.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-novncproxy.yaml b/charts/nova/templates/service-novncproxy.yaml
new file mode 100644
index 0000000..9e7eebe
--- /dev/null
+++ b/charts/nova/templates/service-novncproxy.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_novncproxy ( eq .Values.console.console_kind "novnc" ) }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "compute_novnc_proxy" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: n-novnc
+    port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.novncproxy.node_port.enabled }}
+    nodePort: {{ .Values.network.novncproxy.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.novncproxy.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-osapi.yaml b/charts/nova/templates/service-osapi.yaml
new file mode 100644
index 0000000..91ab52c
--- /dev/null
+++ b/charts/nova/templates/service-osapi.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_osapi }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "compute" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: n-api
+    port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.osapi.node_port.enabled }}
+    nodePort: {{ .Values.network.osapi.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.osapi.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.osapi.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-placement.yaml b/charts/nova/templates/service-placement.yaml
new file mode 100644
index 0000000..8e1f3d5
--- /dev/null
+++ b/charts/nova/templates/service-placement.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_placement }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "placement" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: p-api
+    port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.placement.node_port.enabled }}
+    nodePort: {{ .Values.network.placement.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.placement.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-spiceproxy.yaml b/charts/nova/templates/service-spiceproxy.yaml
new file mode 100644
index 0000000..3507a05
--- /dev/null
+++ b/charts/nova/templates/service-spiceproxy.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_spiceproxy (eq .Values.console.console_kind "spice") }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "compute_spice_proxy" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: n-spice
+    port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.spiceproxy.node_port.enabled }}
+    nodePort: {{ .Values.network.spiceproxy.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.spiceproxy.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/statefulset-compute-ironic.yaml b/charts/nova/templates/statefulset-compute-ironic.yaml
new file mode 100644
index 0000000..377555d
--- /dev/null
+++ b/charts/nova/templates/statefulset-compute-ironic.yaml
@@ -0,0 +1,113 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_compute_ironic }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_compute_ironic := .Values.pod.mounts.nova_compute_ironic.nova_compute_ironic }}
+{{- $mounts_nova_compute_ironic_init := .Values.pod.mounts.nova_compute_ironic.init_container }}
+
+{{- $serviceAccountName := "nova-compute-ironic" }}
+{{ tuple $envAll "compute_ironic" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: nova-compute-ironic
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.compute_ironic }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+  serviceName: "{{ tuple "baremetal" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}-compute"
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.agent.compute_ironic.node_selector_key }}: {{ .Values.labels.agent.compute_ironic.node_selector_value }}
+      securityContext:
+        runAsUser: 0
+      hostPID: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+{{ tuple $envAll "compute_ironic" $mounts_nova_compute_ironic_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nova-compute-ironic
+{{ tuple $envAll "nova_compute_ironic" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute_ironic | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /tmp/nova-compute-ironic.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/nova-compute-ironic.sh
+              subPath: nova-compute-ironic.sh
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+              readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+            - name: nova-etc
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: nova-etc
+              mountPath: /etc/nova/nova-ironic.conf
+              subPath: nova-ironic.conf
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: nova-etc
+              mountPath: /etc/nova/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: varlibironic
+              mountPath: /var/lib/ironic
+{{ if $mounts_nova_compute_ironic.volumeMounts }}{{ toYaml $mounts_nova_compute_ironic.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        - name: nova-etc
+          secret:
+            secretName: nova-etc
+            defaultMode: 0444
+        - name: varlibironic
+          hostPath:
+            path: /var/lib/ironic
+{{ if $mounts_nova_compute_ironic.volumes }}{{ toYaml $mounts_nova_compute_ironic.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/values.yaml b/charts/nova/values.yaml
new file mode 100644
index 0000000..7d4c1e5
--- /dev/null
+++ b/charts/nova/values.yaml
@@ -0,0 +1,2619 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for nova.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+  agent:
+    compute:
+      node_selector_key: openstack-compute-node
+      node_selector_value: enabled
+    compute_ironic:
+      node_selector_key: openstack-compute-node
+      node_selector_value: enabled
+  api_metadata:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  conductor:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  consoleauth:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  novncproxy:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  osapi:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  placement:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  scheduler:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  spiceproxy:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  pull_policy: IfNotPresent
+  tags:
+    bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    nova_archive_deleted_rows: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    nova_api: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_cell_setup: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_cell_setup_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    nova_compute: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:ocata'
+    nova_compute_ssh: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_conductor: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_consoleauth: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_db_sync: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_novncproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:ocata'
+    nova_placement: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_scheduler: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    # NOTE(portdirect): we simply use the ceph config helper here,
+    # as it has both oscli and jq.
+    nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_xenial'
+    nova_spiceproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_spiceproxy_assets: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+    nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+jobs:
+  # NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
+  # TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
+  cell_setup:
+    cron: "0 */1 * * *"
+    starting_deadline: 600
+    history:
+      success: 3
+      failed: 1
+    extended_wait:
+      enabled: false
+      iteration: 3
+      duration: 5
+  service_cleaner:
+    cron: "0 */1 * * *"
+    starting_deadline: 600
+    history:
+      success: 3
+      failed: 1
+    sleep_time: 60
+  archive_deleted_rows:
+    cron: "0 */1 * * *"
+    starting_deadline: 600
+    history:
+      success: 3
+      failed: 1
+
+bootstrap:
+  enabled: true
+  ks_user: admin
+  script: null
+  structured:
+    flavors:
+      enabled: true
+      options:
+        m1_tiny:
+          name: "m1.tiny"
+          ram: 512
+          disk: 1
+          vcpus: 1
+        m1_small:
+          name: "m1.small"
+          ram: 2048
+          disk: 20
+          vcpus: 1
+        m1_medium:
+          name: "m1.medium"
+          ram: 4096
+          disk: 40
+          vcpus: 2
+        m1_large:
+          name: "m1.large"
+          ram: 8192
+          disk: 80
+          vcpus: 4
+        m1_xlarge:
+          name: "m1.xlarge"
+          ram: 16384
+          disk: 160
+          vcpus: 8
+  wait_for_computes:
+    enabled: false
+    # Wait percentage is the minimum percentage of compute hypervisors which
+    # must be available before the remainder of the bootstrap script can be run.
+    wait_percentage: 70
+    # Once the wait_percentage above is achieved, the remaining_wait is the
+    # amount of time in seconds to wait before executing the remainder of the
+    # boostrap script.
+    remaining_wait: 300
+    scripts:
+      init_script: |
+        # This runs in a bootstrap init container. It counts the number of compute nodes.
+        COMPUTE_NODES=$(kubectl get nodes -o custom-columns=NAME:.metadata.name -l openstack-compute-node=enabled --no-headers | sort)
+        /bin/echo $COMPUTE_NODES > /tmp/compute_nodes.txt
+      wait_script: |
+        # This script runs in the main bootstrap container just before the
+        # bootstrap.script is called.
+        COMPUTE_HOSTS=`cat /tmp/compute_nodes.txt | wc -w`
+        if [[ $COMPUTE_HOSTS == 0 ]]; then
+          echo "There are no compute hosts found!"
+          exit 1
+        fi
+
+        # Wait for all hypervisors to come up before moving on with the deployment
+        HYPERVISOR_WAIT=true
+        WAIT_AFTER_READY=0
+        SLEEP=5
+        while [[ $HYPERVISOR_WAIT == true ]]; do
+          # Its possible that openstack command may fail due to not being able to
+          # reach the compute service
+          set +e
+          HYPERVISORS=$(openstack hypervisor list -f value -c 'Hypervisor Hostname' | wc -w)
+          set -e
+
+          PERCENT_READY=$(( $HYPERVISORS * 100 / $COMPUTE_HOSTS ))
+          if [[ $PERCENT_READY -ge $WAIT_PERCENTAGE ]]; then
+            echo "Hypervisor ready percentage is $PERCENT_READY"
+            if [[ $PERCENT_READY == 100 ]]; then
+              HYPERVISOR_WAIT=false
+              echo "All hypervisors are ready."
+            elif [[ WAIT_AFTER_READY -ge $REMAINING_WAIT ]]; then
+              HYPERVISOR_WAIT=false
+              echo "Waited the configured time -- $HYPERVISORS out of $COMPUTE_HOSTS hypervisor(s) ready -- proceeding with the bootstrap."
+            else
+              sleep $SLEEP
+              WAIT_AFTER_READY=$(( $WAIT_AFTER_READY + $SLEEP ))
+            fi
+          else
+            echo "Waiting $SLEEP seconds for enough hypervisors to be discovered..."
+            sleep $SLEEP
+          fi
+        done
+
+network:
+  # provide what type of network wiring will be used
+  # possible options: openvswitch, linuxbridge, sriov
+  backend:
+    - openvswitch
+  osapi:
+    port: 8774
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30774
+  metadata:
+    port: 8775
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30775
+  placement:
+    port: 8778
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    node_port:
+      enabled: false
+      port: 30778
+  novncproxy:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    node_port:
+      enabled: false
+      port: 30680
+  spiceproxy:
+    node_port:
+      enabled: false
+      port: 30682
+  ssh:
+    enabled: false
+    port: 8022
+    from_subnet: 0.0.0.0/0
+    key_types:
+      - rsa
+      - dsa
+      - ecdsa
+      - ed25519
+    private_key: 'null'
+    public_key: 'null'
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - nova-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+    targeted:
+      openvswitch:
+        compute:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-ovs-agent
+      linuxbridge:
+        compute:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-lb-agent
+      sriov:
+        compute:
+          pod:
+            - requireSameNode: true
+              labels:
+                application: neutron
+                component: neutron-sriov-agent
+  static:
+    api:
+      jobs:
+        - nova-db-sync
+        - nova-ks-user
+        - nova-ks-endpoints
+        - nova-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    api_metadata:
+      jobs:
+        - nova-db-sync
+        - nova-ks-user
+        - nova-ks-endpoints
+        - nova-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    bootstrap:
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: compute
+    cell_setup:
+      jobs:
+        - nova-db-sync
+        - nova-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: compute
+      pod:
+        - requireSameNode: false
+          labels:
+            application: nova
+            component: compute
+    service_cleaner:
+      jobs:
+        - nova-db-sync
+        - nova-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: compute
+    compute:
+      pod:
+        - requireSameNode: true
+          labels:
+            application: libvirt
+            component: libvirt
+      jobs:
+        - nova-db-sync
+        - nova-rabbit-init
+        - placement-ks-endpoints
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: image
+        - endpoint: internal
+          service: compute
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: compute_metadata
+    compute_ironic:
+      jobs:
+        - nova-db-sync
+        - nova-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: image
+        - endpoint: internal
+          service: compute
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: baremetal
+    conductor:
+      jobs:
+        - nova-db-sync
+        - nova-rabbit-init
+        - placement-ks-endpoints
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: compute
+    consoleauth:
+      jobs:
+        - nova-db-sync
+        - nova-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: compute
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    archive_deleted_rows:
+      jobs:
+        - nova-db-init
+        - nova-db-sync
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - nova-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    ks_endpoints:
+      jobs:
+        - nova-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - service: oslo_messaging
+          endpoint: internal
+    novncproxy:
+      jobs:
+        - nova-db-sync
+      services:
+        - endpoint: internal
+          service: oslo_db
+    spiceproxy:
+      jobs:
+        - nova-db-sync
+      services:
+        - endpoint: internal
+          service: oslo_db
+    scheduler:
+      jobs:
+        - nova-db-sync
+        - nova-rabbit-init
+        - placement-ks-endpoints
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: compute
+    tests:
+      services:
+        - endpoint: internal
+          service: image
+        - endpoint: internal
+          service: compute
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: compute_metadata
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+console:
+  # serial | spice | novnc | none
+  console_kind: novnc
+  serial:
+  spice:
+    compute:
+      # IF blank, search default routing interface
+      server_proxyclient_interface:
+    proxy:
+      # IF blank, search default routing interface
+      server_proxyclient_interface:
+  novnc:
+    compute:
+      # IF blank, search default routing interface
+      vncserver_proxyclient_interface:
+    vncproxy:
+      # IF blank, search default routing interface
+      vncserver_proxyclient_interface:
+
+ceph_client:
+  configmap: ceph-etc
+  user_secret_name: pvc-ceph-client-key
+
+conf:
+  security: |
+    #
+    # Disable access to the entire file system except for the directories that
+    # are explicitly allowed later.
+    #
+    # This currently breaks the configurations that come with some web application
+    # Debian packages.
+    #
+    #<Directory />
+    #   AllowOverride None
+    #   Require all denied
+    #</Directory>
+
+    # Changing the following options will not really affect the security of the
+    # server, but might make attacks slightly more difficult in some cases.
+
+    #
+    # ServerTokens
+    # This directive configures what you return as the Server HTTP response
+    # Header. The default is 'Full' which sends information about the OS-Type
+    # and compiled in modules.
+    # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+    # where Full conveys the most information, and Prod the least.
+    ServerTokens Prod
+
+    #
+    # Optionally add a line containing the server version and virtual host
+    # name to server-generated pages (internal error documents, FTP directory
+    # listings, mod_status and mod_info output etc., but not CGI generated
+    # documents or custom error documents).
+    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+    # Set to one of:  On | Off | EMail
+    ServerSignature Off
+
+    #
+    # Allow TRACE method
+    #
+    # Set to "extended" to also reflect the request body (only for testing and
+    # diagnostic purposes).
+    #
+    # Set to one of:  On | Off | extended
+    TraceEnable Off
+
+    #
+    # Forbid access to version control directories
+    #
+    # If you use version control systems in your document root, you should
+    # probably deny access to their directories. For example, for subversion:
+    #
+    #<DirectoryMatch "/\.svn">
+    #   Require all denied
+    #</DirectoryMatch>
+
+    #
+    # Setting this header will prevent MSIE from interpreting files as something
+    # else than declared by the content type in the HTTP headers.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Content-Type-Options: "nosniff"
+
+    #
+    # Setting this header will prevent other sites from embedding pages from this
+    # site as frames. This defends against clickjacking attacks.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Frame-Options: "sameorigin"
+  software:
+    apache2:
+      binary: apache2
+      start_parameters: -DFOREGROUND
+      conf_dir: /etc/apache2/conf-enabled
+      site_dir: /etc/apache2/sites-enable
+      mods_dir: /etc/apache2/mods-available
+      a2enmod: null
+      a2dismod: null
+  ceph:
+    enabled: true
+    admin_keyring: null
+    cinder:
+      user: "cinder"
+      keyring: null
+      secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+  rally_tests:
+    run_tempest: false
+    clean_up: |
+      FLAVORS=$(openstack flavor list -f value --all | awk '$2 ~ /^s_rally_/ { print $1 }')
+      if [ -n "$FLAVORS" ]; then
+        echo $FLAVORS | xargs openstack flavor delete
+      fi
+      SERVERS=$(openstack server list -f value --all | awk '$2 ~ /^s_rally_/ { print $1 }')
+      if [ -n "$SERVERS" ]; then
+        echo $SERVERS | xargs openstack server delete
+      fi
+      IMAGES=$(openstack image list -f value | awk '$2 ~ /^c_rally_/ { print $1 }')
+      if [ -n "$IMAGES" ]; then
+        echo $IMAGES | xargs openstack image delete
+      fi
+    tests:
+      NovaAgents.list_agents:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaAggregates.create_and_get_aggregate_details:
+        - args:
+            availability_zone: nova
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaAggregates.create_and_update_aggregate:
+        - args:
+            availability_zone: nova
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaAggregates.list_aggregates:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaAvailabilityZones.list_availability_zones:
+        - args:
+            detailed: true
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaFlavors.create_and_delete_flavor:
+        - args:
+            disk: 1
+            ram: 500
+            vcpus: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaFlavors.create_and_list_flavor_access:
+        - args:
+            disk: 1
+            ram: 500
+            vcpus: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaFlavors.create_flavor:
+        - args:
+            disk: 1
+            ram: 500
+            vcpus: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaFlavors.create_flavor_and_add_tenant_access:
+        - args:
+            disk: 1
+            ram: 500
+            vcpus: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaFlavors.create_flavor_and_set_keys:
+        - args:
+            disk: 1
+            extra_specs:
+              'quota:disk_read_bytes_sec': 10240
+            ram: 500
+            vcpus: 1
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaFlavors.list_flavors:
+        - args:
+            detailed: true
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaHypervisors.list_and_get_hypervisors:
+        - args:
+            detailed: true
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaHypervisors.list_and_get_uptime_hypervisors:
+        - args:
+            detailed: true
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaHypervisors.list_and_search_hypervisors:
+        - args:
+            detailed: true
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaHypervisors.list_hypervisors:
+        - args:
+            detailed: true
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaHypervisors.statistics_hypervisors:
+        - args: {}
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaKeypair.create_and_delete_keypair:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaKeypair.create_and_list_keypairs:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaServerGroups.create_and_list_server_groups:
+        - args:
+            all_projects: false
+            kwargs:
+              policies:
+                - affinity
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+      NovaServices.list_services:
+        - runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+  paste:
+    composite:metadata:
+      use: egg:Paste#urlmap
+      /: meta
+    pipeline:meta:
+      pipeline: cors metaapp
+    app:metaapp:
+      paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory
+    composite:osapi_compute:
+      use: call:nova.api.openstack.urlmap:urlmap_factory
+      /: oscomputeversions
+      /v2: openstack_compute_api_v21_legacy_v2_compatible
+      /v2.1: openstack_compute_api_v21
+    composite:openstack_compute_api_v21:
+      use: call:nova.api.auth:pipeline_factory_v21
+      noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
+      keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext osapi_compute_app_v21
+    composite:openstack_compute_api_v21_legacy_v2_compatible:
+      use: call:nova.api.auth:pipeline_factory_v21
+      noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
+      keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext legacy_v2_compatible osapi_compute_app_v21
+    filter:request_id:
+      paste.filter_factory: oslo_middleware:RequestId.factory
+    filter:compute_req_id:
+      paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory
+    filter:faultwrap:
+      paste.filter_factory: nova.api.openstack:FaultWrapper.factory
+    filter:noauth2:
+      paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory
+    filter:sizelimit:
+      paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory
+    filter:http_proxy_to_wsgi:
+      paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+    filter:legacy_v2_compatible:
+      paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory
+    app:osapi_compute_app_v21:
+      paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory
+    pipeline:oscomputeversions:
+      pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp
+    app:oscomputeversionapp:
+      paste.app_factory: nova.api.openstack.compute.versions:Versions.factory
+    filter:cors:
+      paste.filter_factory: oslo_middleware.cors:filter_factory
+      oslo_config_project: nova
+    filter:keystonecontext:
+      paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/nova/api_audit_map.conf
+  policy: {}
+  nova_sudoers: |
+    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+    Defaults !requiretty
+    Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+    nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf *
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    custom_actions:
+      enable: enable
+      disable: disable
+      delete: delete
+      startup: start/startup
+      shutdown: stop/shutdown
+      reboot: start/reboot
+      os-migrations/get: read
+      os-server-password/post: update
+    path_keywords:
+      add: None
+      action: None
+      enable: None
+      disable: None
+      configure-project: None
+      defaults: None
+      delete: None
+      detail: None
+      diagnostics: None
+      entries: entry
+      extensions: alias
+      flavors: flavor
+      images: image
+      ips: label
+      limits: None
+      metadata: key
+      os-agents: os-agent
+      os-aggregates: os-aggregate
+      os-availability-zone: None
+      os-certificates: None
+      os-cloudpipe: None
+      os-fixed-ips: ip
+      os-extra_specs: key
+      os-flavor-access: None
+      os-floating-ip-dns: domain
+      os-floating-ips-bulk: host
+      os-floating-ip-pools: None
+      os-floating-ips: floating-ip
+      os-hosts: host
+      os-hypervisors: hypervisor
+      os-instance-actions: instance-action
+      os-keypairs: keypair
+      os-migrations: None
+      os-networks: network
+      os-quota-sets: tenant
+      os-security-groups: security_group
+      os-security-group-rules: rule
+      os-server-password: None
+      os-services: None
+      os-simple-tenant-usage: tenant
+      os-virtual-interfaces: None
+      os-volume_attachments: attachment
+      os-volumes_boot: None
+      os-volumes: volume
+      os-volume-types: volume-type
+      os-snapshots: snapshot
+      reboot: None
+      servers: server
+      shutdown: None
+      startup: None
+      statistics: None
+    service_endpoints:
+      compute: service/compute
+  rootwrap: |
+    # Configuration for nova-rootwrap
+    # This file should be owned by (and only-writeable by) the root user
+
+    [DEFAULT]
+    # List of directories to load filter definitions from (separated by ',').
+    # These directories MUST all be only writeable by root !
+    filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
+
+    # List of directories to search executables in, in case filters do not
+    # explicitely specify a full path (separated by ',')
+    # If not specified, defaults to system PATH environment variable.
+    # These directories MUST all be only writeable by root !
+    exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+    # Enable logging to syslog
+    # Default value is False
+    use_syslog=False
+
+    # Which syslog facility to use.
+    # Valid values include auth, authpriv, syslog, local0, local1...
+    # Default value is 'syslog'
+    syslog_log_facility=syslog
+
+    # Which messages to log.
+    # INFO means log all usage
+    # ERROR means only log unsuccessful attempts
+    syslog_log_level=ERROR
+  wsgi_placement: |
+    Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
+
+    <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+        WSGIDaemonProcess placement-api processes=4 threads=1 user=nova group=nova display-name=%{GROUP}
+        WSGIProcessGroup placement-api
+        WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        ErrorLog /dev/stdout
+
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+    </VirtualHost>
+
+    Alias /placement /var/www/cgi-bin/nova/nova-placement-api
+    <Location /placement>
+        SetHandler wsgi-script
+        Options +ExecCGI
+
+        WSGIProcessGroup placement-api
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
+  rootwrap_filters:
+    api_metadata:
+      pods:
+        - metadata
+      content: |
+        # nova-rootwrap command filters for api-metadata nodes
+        # This is needed on nova-api hosts running with "metadata" in enabled_apis
+        # or when running nova-api-metadata
+        # This file should be owned by (and only-writeable by) the root user
+
+        [Filters]
+        # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+        iptables-save: CommandFilter, iptables-save, root
+        ip6tables-save: CommandFilter, ip6tables-save, root
+
+        # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+        iptables-restore: CommandFilter, iptables-restore, root
+        ip6tables-restore: CommandFilter, ip6tables-restore, root
+    compute:
+      pods:
+        - compute
+      content: |
+        # nova-rootwrap command filters for compute nodes
+        # This file should be owned by (and only-writeable by) the root user
+
+        [Filters]
+        # nova/virt/disk/mount/api.py: 'kpartx', '-a', device
+        # nova/virt/disk/mount/api.py: 'kpartx', '-d', device
+        kpartx: CommandFilter, kpartx, root
+
+        # nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
+        # nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
+        tune2fs: CommandFilter, tune2fs, root
+
+        # nova/virt/disk/mount/api.py: 'mount', mapped_device
+        # nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
+        # nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
+        # nova/virt/configdrive.py: 'mount', device, mountdir
+        # nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
+        mount: CommandFilter, mount, root
+
+        # nova/virt/disk/mount/api.py: 'umount', mapped_device
+        # nova/virt/disk/api.py: 'umount' target
+        # nova/virt/xenapi/vm_utils.py: 'umount', dev_path
+        # nova/virt/configdrive.py: 'umount', mountdir
+        umount: CommandFilter, umount, root
+
+        # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
+        # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
+        qemu-nbd: CommandFilter, qemu-nbd, root
+
+        # nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
+        # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
+        losetup: CommandFilter, losetup, root
+
+        # nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
+        blkid: CommandFilter, blkid, root
+
+        # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
+        # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
+        blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
+
+        # nova/virt/disk/vfs/localfs.py: 'tee', canonpath
+        tee: CommandFilter, tee, root
+
+        # nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
+        mkdir: CommandFilter, mkdir, root
+
+        # nova/virt/disk/vfs/localfs.py: 'chown'
+        # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+        # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+        # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
+        chown: CommandFilter, chown, root
+
+        # nova/virt/disk/vfs/localfs.py: 'chmod'
+        chmod: CommandFilter, chmod, root
+
+        # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+        # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+        # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+        # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+        # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+        # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+        # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+        # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+        # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+        # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+        # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+        # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+        # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+        # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+        # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+        # nova/network/linux_net.py: 'ip', 'route', 'add', ..
+        # nova/network/linux_net.py: 'ip', 'route', 'del', .
+        # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+        ip: CommandFilter, ip, root
+
+        # nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
+        # nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
+        tunctl: CommandFilter, tunctl, root
+
+        # nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+        # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+        # nova/network/linux_net.py: 'ovs-vsctl', ....
+        ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+        # nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
+        vrouter-port-control: CommandFilter, vrouter-port-control, root
+
+        # nova/virt/libvirt/vif.py: 'ebrctl', ...
+        ebrctl: CommandFilter, ebrctl, root
+
+        # nova/virt/libvirt/vif.py: 'mm-ctl', ...
+        mm-ctl: CommandFilter, mm-ctl, root
+
+        # nova/network/linux_net.py: 'ovs-ofctl', ....
+        ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+        # nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
+        dd: CommandFilter, dd, root
+
+        # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
+        iscsiadm: CommandFilter, iscsiadm, root
+
+        # nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
+        # nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
+        aoe-revalidate: CommandFilter, aoe-revalidate, root
+        aoe-discover: CommandFilter, aoe-discover, root
+
+        # nova/virt/xenapi/vm_utils.py: parted, --script, ...
+        # nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
+        parted: CommandFilter, parted, root
+
+        # nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
+        pygrub: CommandFilter, pygrub, root
+
+        # nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
+        fdisk: CommandFilter, fdisk, root
+
+        # nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
+        # nova/virt/disk/api.py: e2fsck, -f, -p, image
+        e2fsck: CommandFilter, e2fsck, root
+
+        # nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
+        # nova/virt/disk/api.py: resize2fs, image
+        resize2fs: CommandFilter, resize2fs, root
+
+        # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+        iptables-save: CommandFilter, iptables-save, root
+        ip6tables-save: CommandFilter, ip6tables-save, root
+
+        # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+        iptables-restore: CommandFilter, iptables-restore, root
+        ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+        # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+        # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+        arping: CommandFilter, arping, root
+
+        # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+        dhcp_release: CommandFilter, dhcp_release, root
+
+        # nova/network/linux_net.py: 'kill', '-9', pid
+        # nova/network/linux_net.py: 'kill', '-HUP', pid
+        kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+        # nova/network/linux_net.py: 'kill', pid
+        kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+        # nova/network/linux_net.py: dnsmasq call
+        dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+        # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+        radvd: CommandFilter, radvd, root
+
+        # nova/network/linux_net.py: 'brctl', 'addbr', bridge
+        # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+        # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+        # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+        brctl: CommandFilter, brctl, root
+
+        # nova/virt/libvirt/utils.py: 'mkswap'
+        # nova/virt/xenapi/vm_utils.py: 'mkswap'
+        mkswap: CommandFilter, mkswap, root
+
+        # nova/virt/libvirt/utils.py: 'nova-idmapshift'
+        nova-idmapshift: CommandFilter, nova-idmapshift, root
+
+        # nova/virt/xenapi/vm_utils.py: 'mkfs'
+        # nova/utils.py: 'mkfs', fs, path, label
+        mkfs: CommandFilter, mkfs, root
+
+        # nova/virt/libvirt/utils.py: 'qemu-img'
+        qemu-img: CommandFilter, qemu-img, root
+
+        # nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
+        readlink: CommandFilter, readlink, root
+
+        # nova/virt/disk/api.py:
+        mkfs.ext3: CommandFilter, mkfs.ext3, root
+        mkfs.ext4: CommandFilter, mkfs.ext4, root
+        mkfs.ntfs: CommandFilter, mkfs.ntfs, root
+
+        # nova/virt/libvirt/connection.py:
+        lvremove: CommandFilter, lvremove, root
+
+        # nova/virt/libvirt/utils.py:
+        lvcreate: CommandFilter, lvcreate, root
+
+        # nova/virt/libvirt/utils.py:
+        lvs: CommandFilter, lvs, root
+
+        # nova/virt/libvirt/utils.py:
+        vgs: CommandFilter, vgs, root
+
+        # nova/utils.py:read_file_as_root: 'cat', file_path
+        # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
+        read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
+        read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
+
+        # os-brick needed commands
+        read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
+        multipath: CommandFilter, multipath, root
+        # multipathd show status
+        multipathd: CommandFilter, multipathd, root
+        systool: CommandFilter, systool, root
+        vgc-cluster: CommandFilter, vgc-cluster, root
+        # os_brick/initiator/connector.py
+        drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
+
+        # TODO(smcginnis) Temporary fix.
+        # Need to pull in os-brick os-brick.filters file instead and clean
+        # out stale brick values from this file.
+        scsi_id: CommandFilter, /lib/udev/scsi_id, root
+        # os_brick.privileged.default oslo.privsep context
+        # This line ties the superuser privs with the config files, context name,
+        # and (implicitly) the actual python code invoked.
+        privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+
+        # nova/storage/linuxscsi.py: sg_scan device
+        sg_scan: CommandFilter, sg_scan, root
+
+        # nova/volume/encryptors/cryptsetup.py:
+        # nova/volume/encryptors/luks.py:
+        ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+
+
+        # nova/volume/encryptors.py:
+        # nova/virt/libvirt/dmcrypt.py:
+        cryptsetup: CommandFilter, cryptsetup, root
+
+        # nova/virt/xenapi/vm_utils.py:
+        xenstore-read: CommandFilter, xenstore-read, root
+
+        # nova/virt/libvirt/utils.py:
+        rbd: CommandFilter, rbd, root
+
+        # nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
+        shred: CommandFilter, shred, root
+
+        # nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
+        cp: CommandFilter, cp, root
+
+        # nova/virt/xenapi/vm_utils.py:
+        sync: CommandFilter, sync, root
+
+        # nova/virt/libvirt/imagebackend.py:
+        ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
+        prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
+
+        # nova/virt/libvirt/utils.py: 'xend', 'status'
+        xend: CommandFilter, xend, root
+
+        # nova/virt/libvirt/utils.py:
+        touch: CommandFilter, touch, root
+
+        # nova/virt/libvirt/volume/vzstorage.py
+        pstorage-mount: CommandFilter, pstorage-mount, root
+    network:
+      pods:
+        - compute
+      content: |
+        # nova-rootwrap command filters for network nodes
+        # This file should be owned by (and only-writeable by) the root user
+
+        [Filters]
+        # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+        # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+        # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+        # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+        # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+        # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+        # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+        # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+        # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+        # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+        # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+        # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+        # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+        # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+        # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+        # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+        # nova/network/linux_net.py: 'ip', 'route', 'add', ..
+        # nova/network/linux_net.py: 'ip', 'route', 'del', .
+        # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+        ip: CommandFilter, ip, root
+
+        # nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+        # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+        # nova/network/linux_net.py: 'ovs-vsctl', ....
+        ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+        # nova/network/linux_net.py: 'ovs-ofctl', ....
+        ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+        # nova/virt/libvirt/vif.py: 'ivs-ctl', ...
+        # nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
+        # nova/network/linux_net.py: 'ivs-ctl', ....
+        ivs-ctl: CommandFilter, ivs-ctl, root
+
+        # nova/virt/libvirt/vif.py: 'ifc_ctl', ...
+        ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
+
+        # nova/network/linux_net.py: 'ebtables', '-D' ...
+        # nova/network/linux_net.py: 'ebtables', '-I' ...
+        ebtables: CommandFilter, ebtables, root
+        ebtables_usr: CommandFilter, ebtables, root
+
+        # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+        iptables-save: CommandFilter, iptables-save, root
+        ip6tables-save: CommandFilter, ip6tables-save, root
+
+        # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+        iptables-restore: CommandFilter, iptables-restore, root
+        ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+        # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+        # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+        arping: CommandFilter, arping, root
+
+        # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+        dhcp_release: CommandFilter, dhcp_release, root
+
+        # nova/network/linux_net.py: 'kill', '-9', pid
+        # nova/network/linux_net.py: 'kill', '-HUP', pid
+        kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+        # nova/network/linux_net.py: 'kill', pid
+        kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+        # nova/network/linux_net.py: dnsmasq call
+        dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+        # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+        radvd: CommandFilter, radvd, root
+
+        # nova/network/linux_net.py: 'brctl', 'addbr', bridge
+        # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+        # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+        # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+        brctl: CommandFilter, brctl, root
+
+        # nova/network/linux_net.py: 'sysctl', ....
+        sysctl: CommandFilter, sysctl, root
+
+        # nova/network/linux_net.py: 'conntrack'
+        conntrack: CommandFilter, conntrack, root
+
+        # nova/network/linux_net.py: 'fp-vdev'
+        fp-vdev: CommandFilter, fp-vdev, root
+  nova_ironic:
+    DEFAULT:
+      scheduler_host_manager: ironic_host_manager
+      compute_driver: ironic.IronicDriver
+      ram_allocation_ratio: 1.0
+      cpu_allocation_ratio: 1.0
+      reserved_host_memory_mb: 0
+  libvirt:
+    # Get the IP address to be used as the target for live migration traffic using interface name.
+    # If this option is set to None, the hostname of the migration target compute node will be used.
+    live_migration_interface:
+  hypervisor:
+    # my_ip can be set automatically through this interface name.
+    host_interface:
+  # This list is the keys to exclude from the config file ingested by nova-compute
+  nova_compute_redactions:
+    - database
+    - api_database
+    - cell0_database
+  nova:
+    DEFAULT:
+      log_config_append: /etc/nova/logging.conf
+      default_ephemeral_format: ext4
+      ram_allocation_ratio: 1.0
+      disk_allocation_ratio: 1.0
+      cpu_allocation_ratio: 3.0
+      state_path: /var/lib/nova
+      osapi_compute_listen: 0.0.0.0
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      osapi_compute_listen_port: null
+      osapi_compute_workers: 1
+      metadata_workers: 1
+      use_neutron: true
+      firewall_driver: nova.virt.firewall.NoopFirewallDriver
+      linuxnet_interface_driver: openvswitch
+      compute_driver: libvirt.LibvirtDriver
+      my_ip: 0.0.0.0
+      instance_usage_audit: True
+      instance_usage_audit_period: hour
+      notify_on_state_change: vm_and_task_state
+      resume_guests_state_on_host_boot: True
+    vnc:
+      novncproxy_host: 0.0.0.0
+      vncserver_listen: 0.0.0.0
+      # This would be set by each compute nodes's ip
+      # server_proxyclient_address: 127.0.0.1
+    spice:
+      html5proxy_host: 0.0.0.0
+      server_listen: 0.0.0.0
+      # This would be set by each compute nodes's ip
+      # server_proxyclient_address: 127.0.0.1
+    conductor:
+      workers: 1
+    oslo_policy:
+      policy_file: /etc/nova/policy.yaml
+    oslo_concurrency:
+      lock_path: /var/lib/nova/tmp
+    oslo_middleware:
+      enable_proxy_headers_parsing: true
+    glance:
+      num_retries: 3
+    ironic:
+      api_endpoint: null
+      auth_url: null
+    neutron:
+      metadata_proxy_shared_secret: "password"
+      service_metadata_proxy: True
+      auth_type: password
+      auth_version: v3
+    database:
+      max_retries: -1
+    api_database:
+      max_retries: -1
+    cell0_database:
+      max_retries: -1
+    keystone_authtoken:
+      auth_type: password
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+    service_user:
+      auth_type: password
+      send_service_user_token: false
+    libvirt:
+      connection_uri: "qemu+unix:///system?socket=/run/libvirt/libvirt-sock"
+      images_type: qcow2
+      images_rbd_pool: vms
+      images_rbd_ceph_conf: /etc/ceph/ceph.conf
+      rbd_user: cinder
+      rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+      disk_cachemodes: "network=writeback"
+      hw_disk_discard: unmap
+    upgrade_levels:
+      compute: auto
+    cache:
+      enabled: true
+      backend: dogpile.cache.memcached
+    wsgi:
+      api_paste_config: /etc/nova/api-paste.ini
+    oslo_messaging_notifications:
+      driver: messagingv2
+    oslo_messaging_rabbit:
+      rabbit_ha_queues: true
+    placement:
+      auth_type: password
+      auth_version: v3
+  logging:
+    loggers:
+      keys:
+        - root
+        - nova
+        - os.brick
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_nova:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: nova
+    logger_os.brick:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: os.brick
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+  rabbitmq:
+    # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+    policies:
+      - vhost: "nova"
+        name: "ha_ttl_nova"
+        definition:
+          # mirror messges to other nodes in rmq cluster
+          ha-mode: "all"
+          ha-sync-mode: "automatic"
+          # 70s
+          message-ttl: 70000
+        priority: 0
+        apply-to: all
+        pattern: '^(?!(amq\.|reply_)).*'
+  enable_iscsi: false
+  archive_deleted_rows:
+    purge_deleted_rows: false
+    until_completion: true
+    all_cells: false
+    max_rows:
+      enabled: False
+      rows: 1000
+    before:
+      enabled: false
+      date: 'nil'
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: nova-keystone-admin
+    nova: nova-keystone-user
+    placement: nova-keystone-placement
+    test: nova-keystone-test
+  oslo_db:
+    admin: nova-db-admin
+    nova: nova-db-user
+  oslo_db_api:
+    admin: nova-db-api-admin
+    nova: nova-db-api-user
+  oslo_db_cell0:
+    admin: nova-db-cell0-admin
+    nova: nova-db-cell0-user
+  oslo_messaging:
+    admin: nova-rabbitmq-admin
+    nova: nova-rabbitmq-user
+  tls:
+    compute:
+      osapi:
+        public: nova-tls-public
+        internal: nova-tls-api
+    compute_novnc_proxy:
+      novncproxy:
+        public: nova-novncproxy-tls-public
+        internal: nova-novncproxy-tls-proxy
+    placement:
+      placement:
+        public: placement-tls-public
+        internal: placement-tls-api
+    compute_metadata:
+      metadata:
+        public: metadata-tls-public
+        internal: metadata-tls-metadata
+    compute_spice_proxy:
+      spiceproxy:
+        internal: nova-tls-spiceproxy
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      nova:
+        username: nova
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /nova
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_db_api:
+    auth:
+      admin:
+        username: root
+        password: password
+      nova:
+        username: nova
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /nova_api
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_db_cell0:
+    auth:
+      admin:
+        username: root
+        password: password
+      nova:
+        username: nova
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /nova_cell0
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
+      nova:
+        username: nova
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /nova
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      nova:
+        role: admin
+        region_name: RegionOne
+        username: nova
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      # NOTE(portdirect): the neutron user is not managed by the nova chart
+      # these values should match those set in the neutron chart.
+      neutron:
+        region_name: RegionOne
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+        username: neutron
+        password: password
+      # NOTE(portdirect): the ironic user is not managed by the nova chart
+      # these values should match those set in the ironic chart.
+      ironic:
+        auth_type: password
+        auth_version: v3
+        region_name: RegionOne
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+        username: ironic
+        password: password
+      placement:
+        role: admin
+        region_name: RegionOne
+        username: placement
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      test:
+        role: admin
+        region_name: RegionOne
+        username: nova-test
+        password: password
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  image:
+    name: glance
+    hosts:
+      default: glance-api
+      public: glance
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: http
+    port:
+      api:
+        default: 9292
+        public: 80
+  compute:
+    name: nova
+    hosts:
+      default: nova-api
+      public: nova
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: "/v2.1/%(tenant_id)s"
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8774
+        public: 80
+      novncproxy:
+        default: 6080
+  compute_metadata:
+    name: nova
+    ip:
+      # IF blank, set clusterIP and metadata_host dynamically
+      ingress: null
+    hosts:
+      default: nova-metadata
+      public: metadata
+    host_fqdn_override:
+      default: null
+    path:
+      default: /
+    scheme:
+      default: 'http'
+    port:
+      metadata:
+        default: 8775
+        public: 80
+  compute_novnc_proxy:
+    name: nova
+    hosts:
+      default: nova-novncproxy
+      public: novncproxy
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: /vnc_auto.html
+    scheme:
+      default: 'http'
+    port:
+      novnc_proxy:
+        default: 6080
+        public: 80
+  compute_spice_proxy:
+    name: nova
+    hosts:
+      default: nova-spiceproxy
+      public: placement
+    host_fqdn_override:
+      default: null
+    path:
+      default: /spice_auto.html
+    scheme:
+      default: 'http'
+    port:
+      spice_proxy:
+        default: 6082
+  placement:
+    name: placement
+    hosts:
+      default: placement-api
+      public: placement
+    host_fqdn_override:
+      default: null
+    path:
+      default: /
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8778
+        public: 80
+  network:
+    name: neutron
+    hosts:
+      default: neutron-server
+      public: neutron
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 9696
+        public: 80
+  baremetal:
+    name: ironic
+    hosts:
+      default: ironic-api
+      public: ironic
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: http
+    port:
+      api:
+        default: 6385
+        public: 80
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
+
+pod:
+  probes:
+    rpc_timeout: 60
+    rpc_retries: 2
+    compute:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 90
+            timeoutSeconds: 70
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 80
+            periodSeconds: 90
+            timeoutSeconds: 70
+    api-metadata:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+    api-osapi:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+    conductor:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 90
+            timeoutSeconds: 70
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 80
+            periodSeconds: 90
+            timeoutSeconds: 70
+    consoleauth:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 90
+            timeoutSeconds: 70
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 80
+            periodSeconds: 90
+            timeoutSeconds: 70
+    novncproxy:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+    placement:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 50
+            periodSeconds: 30
+            timeoutSeconds: 10
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 15
+            periodSeconds: 30
+            timeoutSeconds: 10
+    scheduler:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 90
+            timeoutSeconds: 70
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 80
+            periodSeconds: 90
+            timeoutSeconds: 70
+    compute-spice-proxy:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+        readiness:
+          enabled: True
+          params:
+            initialDelaySeconds: 30
+            periodSeconds: 60
+            timeoutSeconds: 15
+  security_context:
+    nova:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_compute_init:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        tungstenfabric_compute_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        ceph_perms:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        ceph_admin_keyring_placement:
+          readOnlyRootFilesystem: true
+        ceph_keyring_placement:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_compute_vnc_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_compute_spice_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_compute:
+          readOnlyRootFilesystem: true
+          privileged: true
+        nova_compute_ssh:
+          privileged: true
+          runAsUser: 0
+        nova_compute_ssh_init:
+          runAsUser: 0
+        nova_api_metadata_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_osapi:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_conductor:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_consoleauth:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_novncproxy_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_novncproxy_init_assests:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_novncproxy:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_placement_api:
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+        nova_scheduler:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_spiceproxy_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_spiceproxy_init_assets:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_spiceproxy:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    bootstrap:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_wait_for_computes_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        bootstrap:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    nova_cell_setup:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_wait_for_computes_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_cell_setup_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_cell_setup:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    archive_deleted_rows:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_archive_deleted_rows_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_archive_deleted_rows:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    cell_setup:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_cell_setup:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+    service_cleaner:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_service_cleaner:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+  use_fqdn:
+    # NOTE: If the option "host" is not specified in nova.conf, the host name
+    # shown in the hypervisor host is defaulted to the short name of the host.
+    # Setting the option here to true will cause use $(hostname --fqdn) as the
+    # host name by default. If the short name is desired $(hostname --short),
+    # set the option to false. Specifying a host in the nova.conf via the conf:
+    # section will supersede the value of this option.
+    compute: true
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  mounts:
+    nova_compute:
+      init_container: null
+      nova_compute:
+        volumeMounts:
+        volumes:
+    nova_compute_ironic:
+      init_container: null
+      nova_compute_ironic:
+        volumeMounts:
+        volumes:
+    nova_api_metadata:
+      init_container: null
+      nova_api_metadata:
+        volumeMounts:
+        volumes:
+    nova_placement:
+      init_container: null
+      nova_placement:
+        volumeMounts:
+        volumes:
+    nova_api_osapi:
+      init_container: null
+      nova_api_osapi:
+        volumeMounts:
+        volumes:
+    nova_consoleauth:
+      init_container: null
+      nova_consoleauth:
+        volumeMounts:
+        volumes:
+    nova_conductor:
+      init_container: null
+      nova_conductor:
+        volumeMounts:
+        volumes:
+    nova_scheduler:
+      init_container: null
+      nova_scheduler:
+        volumeMounts:
+        volumes:
+    nova_bootstrap:
+      init_container: null
+      nova_bootstrap:
+        volumeMounts:
+        volumes:
+    nova_tests:
+      init_container: null
+      nova_tests:
+        volumeMounts:
+        volumes:
+    nova_novncproxy:
+      init_novncproxy: null
+      nova_novncproxy:
+        volumeMounts:
+        volumes:
+    nova_spiceproxy:
+      init_spiceproxy: null
+      nova_spiceproxy:
+        volumeMounts:
+        volumes:
+    nova_db_sync:
+      nova_db_sync:
+        volumeMounts:
+        volumes:
+  useHostNetwork:
+    novncproxy: true
+  replicas:
+    api_metadata: 1
+    compute_ironic: 1
+    placement: 1
+    osapi: 1
+    conductor: 1
+    consoleauth: 1
+    scheduler: 1
+    novncproxy: 1
+    spiceproxy: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        compute:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+    disruption_budget:
+      metadata:
+        min_available: 0
+      placement:
+        min_available: 0
+      osapi:
+        min_available: 0
+    termination_grace_period:
+      metadata:
+        timeout: 30
+      placement:
+        timeout: 30
+      osapi:
+        timeout: 30
+  resources:
+    enabled: false
+    compute:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    compute_ironic:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    api_metadata:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    placement:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    conductor:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    consoleauth:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    scheduler:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    ssh:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    novncproxy:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    spiceproxy:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      archive_deleted_rows:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      cell_setup:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      service_cleaner:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+network_policy:
+  nova:
+    # TODO(lamt): Need to tighten this ingress for security.
+    ingress:
+      - {}
+    egress:
+      - {}
+  placement:
+    # TODO(lamt): Need to tighten this ingress for security.
+    ingress:
+      - {}
+    egress:
+      - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+health_probe:
+  logging:
+    level: ERROR
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  cron_job_cell_setup: true
+  cron_job_service_cleaner: true
+  cron_job_archive_deleted_rows: false
+  daemonset_compute: true
+  deployment_api_metadata: true
+  deployment_api_osapi: true
+  deployment_placement: true
+  deployment_conductor: true
+  deployment_consoleauth: true
+  deployment_novncproxy: true
+  deployment_spiceproxy: true
+  deployment_scheduler: true
+  ingress_metadata: true
+  ingress_novncproxy: true
+  ingress_placement: true
+  ingress_osapi: true
+  job_bootstrap: true
+  job_db_init: true
+  job_db_init_placement: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_rabbit_init: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  job_ks_placement_endpoints: true
+  job_ks_placement_service: true
+  job_ks_placement_user: true
+  job_cell_setup: true
+  pdb_metadata: true
+  pdb_placement: true
+  pdb_osapi: true
+  pod_rally_test: true
+  network_policy: false
+  secret_db_api: true
+  secret_db_cell0: true
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_keystone_placement: true
+  secret_rabbitmq: true
+  service_ingress_metadata: true
+  service_ingress_novncproxy: true
+  service_ingress_placement: true
+  service_ingress_osapi: true
+  service_metadata: true
+  service_placement: true
+  service_novncproxy: true
+  service_spiceproxy: true
+  service_osapi: true
+  statefulset_compute_ironic: false
+...
diff --git a/charts/octavia/Chart.yaml b/charts/octavia/Chart.yaml
new file mode 100644
index 0000000..a685d8c
--- /dev/null
+++ b/charts/octavia/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Octavia
+home: https://docs.openstack.org/octavia/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Octavia/OpenStack_Project_Octavia_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: octavia
+sources:
+- https://opendev.org/openstack/octavia
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.5
diff --git a/charts/octavia/charts/helm-toolkit/Chart.yaml b/charts/octavia/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..d90280e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.44
diff --git a/charts/octavia/charts/helm-toolkit/requirements.yaml b/charts/octavia/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..7846895
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f fd ]]; then
+      rm -f fd
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/octavia/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_template.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/values.yaml b/charts/octavia/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/octavia/requirements.lock b/charts/octavia/requirements.lock
new file mode 100644
index 0000000..ce130a4
--- /dev/null
+++ b/charts/octavia/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.44
+digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
+generated: "2022-08-10T23:42:45.910611816Z"
diff --git a/charts/octavia/requirements.yaml b/charts/octavia/requirements.yaml
new file mode 100644
index 0000000..512dcb4
--- /dev/null
+++ b/charts/octavia/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/octavia/templates/bin/_bootstrap.sh.tpl b/charts/octavia/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..98d1b37
--- /dev/null
+++ b/charts/octavia/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/octavia/templates/bin/_db-sync.sh.tpl b/charts/octavia/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..ae7e3c8
--- /dev/null
+++ b/charts/octavia/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+octavia-db-manage upgrade head
diff --git a/charts/octavia/templates/bin/_octavia-api.sh.tpl b/charts/octavia/templates/bin/_octavia-api.sh.tpl
new file mode 100644
index 0000000..9e32268
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-api.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec octavia-api \
+        --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/bin/_octavia-health-manager-get-port.sh.tpl b/charts/octavia/templates/bin/_octavia-health-manager-get-port.sh.tpl
new file mode 100644
index 0000000..fbe8f6a
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-health-manager-get-port.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+HOSTNAME=$(hostname -s)
+PORTNAME=octavia-health-manager-port-$HOSTNAME
+
+HM_PORT_ID=$(openstack port show $PORTNAME -c id -f value)
+HM_PORT_MAC=$(openstack port show $PORTNAME -c mac_address -f value)
+
+echo $HM_PORT_ID > /tmp/pod-shared/HM_PORT_ID
+echo $HM_PORT_MAC > /tmp/pod-shared/HM_PORT_MAC
diff --git a/charts/octavia/templates/bin/_octavia-health-manager-nic-init.sh.tpl b/charts/octavia/templates/bin/_octavia-health-manager-nic-init.sh.tpl
new file mode 100644
index 0000000..0317c3d
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-health-manager-nic-init.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+HM_PORT_ID=$(cat /tmp/pod-shared/HM_PORT_ID)
+HM_PORT_MAC=$(cat /tmp/pod-shared/HM_PORT_MAC)
+
+ovs-vsctl --no-wait show
+
+ovs-vsctl --may-exist add-port br-int o-hm0 \
+        -- set Interface o-hm0 type=internal \
+        -- set Interface o-hm0 external-ids:iface-status=active \
+        -- set Interface o-hm0 external-ids:attached-mac=$HM_PORT_MAC \
+        -- set Interface o-hm0 external-ids:iface-id=$HM_PORT_ID \
+        -- set Interface o-hm0 external-ids:skip_cleanup=true
+
+ip link set dev o-hm0 address $HM_PORT_MAC
+
+iptables -I INPUT -i o-hm0 -p udp --dport {{ .Values.conf.octavia.health_manager.bind_port }} -j ACCEPT
diff --git a/charts/octavia/templates/bin/_octavia-health-manager.sh.tpl b/charts/octavia/templates/bin/_octavia-health-manager.sh.tpl
new file mode 100644
index 0000000..3a42066
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-health-manager.sh.tpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  cat > /tmp/dhclient.conf <<EOF
+request subnet-mask,broadcast-address,interface-mtu;
+do-forward-updates false;
+EOF
+
+  dhclient -v o-hm0 -cf /tmp/dhclient.conf
+
+  exec octavia-health-manager \
+        --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/bin/_octavia-housekeeping.sh.tpl b/charts/octavia/templates/bin/_octavia-housekeeping.sh.tpl
new file mode 100644
index 0000000..a4cd2f0
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-housekeeping.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec octavia-housekeeping \
+        --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/bin/_octavia-worker.sh.tpl b/charts/octavia/templates/bin/_octavia-worker.sh.tpl
new file mode 100644
index 0000000..f612ff3
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-worker.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec octavia-worker \
+        --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/configmap-bin.yaml b/charts/octavia/templates/configmap-bin.yaml
new file mode 100644
index 0000000..be9a95d
--- /dev/null
+++ b/charts/octavia/templates/configmap-bin.yaml
@@ -0,0 +1,62 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: octavia-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  octavia-api.sh: |
+{{ tuple "bin/_octavia-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  octavia-health-manager.sh: |
+{{ tuple "bin/_octavia-health-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  octavia-health-manager-nic-init.sh: |
+{{ tuple "bin/_octavia-health-manager-nic-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  octavia-health-manager-get-port.sh: |
+{{ tuple "bin/_octavia-health-manager-get-port.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  octavia-housekeeping.sh: |
+{{ tuple "bin/_octavia-housekeeping.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  octavia-worker.sh: |
+{{ tuple "bin/_octavia-worker.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/octavia/templates/configmap-etc.yaml b/charts/octavia/templates/configmap-etc.yaml
new file mode 100644
index 0000000..8d3a653
--- /dev/null
+++ b/charts/octavia/templates/configmap-etc.yaml
@@ -0,0 +1,117 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "octavia.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "region_name" .Values.endpoints.identity.auth.octavia.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "project_name" .Values.endpoints.identity.auth.octavia.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.octavia.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.octavia.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "username" .Values.endpoints.identity.auth.octavia.username -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "password" .Values.endpoints.identity.auth.octavia.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.service_auth.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.service_auth "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.service_auth.project_name -}}
+{{- $_ := set .Values.conf.octavia.service_auth "project_name" .Values.endpoints.identity.auth.admin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.project_domain_name -}}
+{{- $_ := set .Values.conf.octavia.service_auth "project_domain_name" .Values.endpoints.identity.auth.admin.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.user_domain_name -}}
+{{- $_ := set .Values.conf.octavia.service_auth "user_domain_name" .Values.endpoints.identity.auth.admin.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.username -}}
+{{- $_ := set .Values.conf.octavia.service_auth "username" .Values.endpoints.identity.auth.admin.username -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.password -}}
+{{- $_ := set .Values.conf.octavia.service_auth "password" .Values.endpoints.identity.auth.admin.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.service_auth.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.service_auth "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.memcache_secret_key -}}
+{{- $_ := set .Values.conf.octavia.service_auth "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.database.connection -}}
+{{- $_ := tuple "oslo_db" "internal" "octavia" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.octavia.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "octavia" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.octavia.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $configMapName }}
+type: Opaque
+data:
+  octavia.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.octavia | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "octavia-etc" . | include "octavia.configmap.etc" }}
+{{- end }}
diff --git a/charts/octavia/templates/daemonset-health-manager.yaml b/charts/octavia/templates/daemonset-health-manager.yaml
new file mode 100644
index 0000000..a355e86
--- /dev/null
+++ b/charts/octavia/templates/daemonset-health-manager.yaml
@@ -0,0 +1,161 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "octavia.health_manager.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_octavia_health_manager := .Values.pod.mounts.octavia_health_manager.octavia_health_manager }}
+{{- $mounts_octavia_health_manager_init := .Values.pod.mounts.octavia_health_manager.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: octavia-health-manager
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "octavia" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "octavia" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "health_manager" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "octavia" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      hostPID: true
+      nodeSelector:
+        {{ .Values.labels.health_manager.node_selector_key }}: {{ .Values.labels.health_manager.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "health_manager" $mounts_octavia_health_manager_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: octavia-health-manager-get-port
+{{ tuple $envAll "octavia_health_manager_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity "admin" ) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/octavia-health-manager-get-port.sh
+          volumeMounts:
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: octavia-bin
+              mountPath: /tmp/octavia-health-manager-get-port.sh
+              subPath: octavia-health-manager-get-port.sh
+              readOnly: true
+        - name: octavia-health-manager-nic-init
+{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: 0
+            capabilities:
+              add:
+                - NET_ADMIN
+          command:
+            - /tmp/octavia-health-manager-nic-init.sh
+          volumeMounts:
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
+            - name: octavia-bin
+              mountPath: /tmp/octavia-health-manager-nic-init.sh
+              subPath: octavia-health-manager-nic-init.sh
+              readOnly: true
+            - name: run
+              mountPath: /run
+      containers:
+        - name: octavia-health-manager
+{{ tuple $envAll "octavia_health_manager" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: 0
+            capabilities:
+              add:
+                - NET_ADMIN
+          command:
+            - /tmp/octavia-health-manager.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/octavia-health-manager.sh
+                  - stop
+          volumeMounts:
+            - name: pod-etc-octavia
+              mountPath: /etc/octavia
+            - name: octavia-bin
+              mountPath: /tmp/octavia-health-manager.sh
+              subPath: octavia-health-manager.sh
+              readOnly: true
+            - name: octavia-etc
+              mountPath: /etc/octavia/octavia.conf
+              subPath: octavia.conf
+              readOnly: true
+            {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+            - name: octavia-etc
+              mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_octavia_health_manager.volumeMounts }}{{ toYaml $mounts_octavia_health_manager.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-octavia
+          emptyDir: {}
+        - name: octavia-bin
+          configMap:
+            name: octavia-bin
+            defaultMode: 0555
+        - name: octavia-etc
+          secret:
+            secretName: {{ $configMapName }}
+            defaultMode: 0444
+        - name: pod-shared
+          emptyDir: {}
+        - name: run
+          hostPath:
+            path: /run
+{{ if $mounts_octavia_health_manager.volumes }}{{ toYaml $mounts_octavia_health_manager.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_health_manager }}
+{{- $envAll := . }}
+{{- $daemonset := "health_manager" }}
+{{- $configMapName := "octavia-etc" }}
+{{- $serviceAccountName := "octavia-health-manager" }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "health_manager" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "octavia.health_manager.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "octavia.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/octavia/templates/deployment-api.yaml b/charts/octavia/templates/deployment-api.yaml
new file mode 100644
index 0000000..76f0d23
--- /dev/null
+++ b/charts/octavia/templates/deployment-api.yaml
@@ -0,0 +1,107 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_octavia_api := .Values.pod.mounts.octavia_api.octavia_api }}
+{{- $mounts_octavia_api_init := .Values.pod.mounts.octavia_api.init_container }}
+
+{{- $serviceAccountName := "octavia-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: octavia-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_octavia_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: octavia-api
+{{ tuple $envAll "octavia_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.octavia.uid }}
+          command:
+            - /tmp/octavia-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/octavia-api.sh
+                  - stop
+          ports:
+            - name: o-api
+              containerPort: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          volumeMounts:
+            - name: pod-etc-octavia
+              mountPath: /etc/octavia
+            - name: octavia-bin
+              mountPath: /tmp/octavia-api.sh
+              subPath: octavia-api.sh
+              readOnly: true
+            - name: octavia-etc
+              mountPath: /etc/octavia/octavia.conf
+              subPath: octavia.conf
+              readOnly: true
+            {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+            - name: octavia-etc
+              mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_octavia_api.volumeMounts }}{{ toYaml $mounts_octavia_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-octavia
+          emptyDir: {}
+        - name: octavia-bin
+          configMap:
+            name: octavia-bin
+            defaultMode: 0555
+        - name: octavia-etc
+          secret:
+            secretName: octavia-etc
+            defaultMode: 0444
+{{ if $mounts_octavia_api.volumes }}{{ toYaml $mounts_octavia_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/octavia/templates/deployment-housekeeping.yaml b/charts/octavia/templates/deployment-housekeeping.yaml
new file mode 100644
index 0000000..39903b6
--- /dev/null
+++ b/charts/octavia/templates/deployment-housekeeping.yaml
@@ -0,0 +1,102 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_housekeeping }}
+{{- $envAll := . }}
+
+{{- $mounts_octavia_housekeeping := .Values.pod.mounts.octavia_housekeeping.octavia_housekeeping }}
+{{- $mounts_octavia_housekeeping_init := .Values.pod.mounts.octavia_housekeeping.init_container }}
+
+{{- $serviceAccountName := "octavia-housekeeping" }}
+{{ tuple $envAll "housekeeping" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: octavia-housekeeping
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.housekeeping }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      affinity:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.housekeeping.node_selector_key }}: {{ .Values.labels.housekeeping.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "housekeeping" $mounts_octavia_housekeeping_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: octavia-housekeeping
+{{ tuple $envAll "octavia_housekeeping" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.housekeeping | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.octavia.uid }}
+          command:
+            - /tmp/octavia-housekeeping.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/octavia-housekeeping.sh
+                  - stop
+          volumeMounts:
+            - name: pod-etc-octavia
+              mountPath: /etc/octavia
+            - name: octavia-bin
+              mountPath: /tmp/octavia-housekeeping.sh
+              subPath: octavia-housekeeping.sh
+              readOnly: true
+            - name: octavia-etc
+              mountPath: /etc/octavia/octavia.conf
+              subPath: octavia.conf
+              readOnly: true
+            {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+            - name: octavia-etc
+              mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_octavia_housekeeping.volumeMounts }}{{ toYaml $mounts_octavia_housekeeping.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-octavia
+          emptyDir: {}
+        - name: octavia-bin
+          configMap:
+            name: octavia-bin
+            defaultMode: 0555
+        - name: octavia-etc
+          secret:
+            secretName: octavia-etc
+            defaultMode: 0444
+{{ if $mounts_octavia_housekeeping.volumes }}{{ toYaml $mounts_octavia_housekeeping.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/octavia/templates/deployment-worker.yaml b/charts/octavia/templates/deployment-worker.yaml
new file mode 100644
index 0000000..54cf68d
--- /dev/null
+++ b/charts/octavia/templates/deployment-worker.yaml
@@ -0,0 +1,102 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_worker }}
+{{- $envAll := . }}
+
+{{- $mounts_octavia_worker := .Values.pod.mounts.octavia_worker.octavia_worker }}
+{{- $mounts_octavia_worker_init := .Values.pod.mounts.octavia_worker.init_container }}
+
+{{- $serviceAccountName := "octavia-worker" }}
+{{ tuple $envAll "worker" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: octavia-worker
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.worker }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      affinity:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.worker.node_selector_key }}: {{ .Values.labels.worker.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "worker" $mounts_octavia_worker_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: octavia-worker
+{{ tuple $envAll "octavia_worker" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.octavia.uid }}
+          command:
+            - /tmp/octavia-worker.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/octavia-worker.sh
+                  - stop
+          volumeMounts:
+            - name: pod-etc-octavia
+              mountPath: /etc/octavia
+            - name: octavia-bin
+              mountPath: /tmp/octavia-worker.sh
+              subPath: octavia-worker.sh
+              readOnly: true
+            - name: octavia-etc
+              mountPath: /etc/octavia/octavia.conf
+              subPath: octavia.conf
+              readOnly: true
+            {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+            - name: octavia-etc
+              mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+{{ if $mounts_octavia_worker.volumeMounts }}{{ toYaml $mounts_octavia_worker.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-etc-octavia
+          emptyDir: {}
+        - name: octavia-bin
+          configMap:
+            name: octavia-bin
+            defaultMode: 0555
+        - name: octavia-etc
+          secret:
+            secretName: octavia-etc
+            defaultMode: 0444
+{{ if $mounts_octavia_worker.volumes }}{{ toYaml $mounts_octavia_worker.volumes | indent 8 }}{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/octavia/templates/ingress-api.yaml b/charts/octavia/templates/ingress-api.yaml
new file mode 100644
index 0000000..c644e67
--- /dev/null
+++ b/charts/octavia/templates/ingress-api.yaml
@@ -0,0 +1,21 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "load_balancer" "backendPort" "o-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
+
diff --git a/charts/octavia/templates/job-bootstrap.yaml b/charts/octavia/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..3117ba4
--- /dev/null
+++ b/charts/octavia/templates/job-bootstrap.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "octavia" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.octavia.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-db-drop.yaml b/charts/octavia/templates/job-db-drop.yaml
new file mode 100644
index 0000000..1975d7d
--- /dev/null
+++ b/charts/octavia/templates/job-db-drop.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "octavia" -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-db-init.yaml b/charts/octavia/templates/job-db-init.yaml
new file mode 100644
index 0000000..b1ca9f6
--- /dev/null
+++ b/charts/octavia/templates/job-db-init.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-db-sync.yaml b/charts/octavia/templates/job-db-sync.yaml
new file mode 100644
index 0000000..0c7cdb3
--- /dev/null
+++ b/charts/octavia/templates/job-db-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-image-repo-sync.yaml b/charts/octavia/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..25c19e4
--- /dev/null
+++ b/charts/octavia/templates/job-image-repo-sync.yaml
@@ -0,0 +1,24 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-ks-endpoint.yaml b/charts/octavia/templates/job-ks-endpoint.yaml
new file mode 100644
index 0000000..3f7eff6
--- /dev/null
+++ b/charts/octavia/templates/job-ks-endpoint.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "octavia" "serviceTypes" ( tuple "load-balancer" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-ks-service.yaml b/charts/octavia/templates/job-ks-service.yaml
new file mode 100644
index 0000000..d29ee24
--- /dev/null
+++ b/charts/octavia/templates/job-ks-service.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "octavia" "serviceTypes" ( tuple "load-balancer" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-ks-user.yaml b/charts/octavia/templates/job-ks-user.yaml
new file mode 100644
index 0000000..38e91da
--- /dev/null
+++ b/charts/octavia/templates/job-ks-user.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-rabbit-init.yaml b/charts/octavia/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..50f7d36
--- /dev/null
+++ b/charts/octavia/templates/job-rabbit-init.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/octavia/templates/network_policy.yaml b/charts/octavia/templates/network_policy.yaml
new file mode 100644
index 0000000..f5706ee
--- /dev/null
+++ b/charts/octavia/templates/network_policy.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "octavia" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/octavia/templates/pdb-api.yaml b/charts/octavia/templates/pdb-api.yaml
new file mode 100644
index 0000000..0eb227f
--- /dev/null
+++ b/charts/octavia/templates/pdb-api.yaml
@@ -0,0 +1,29 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: octavia-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-db.yaml b/charts/octavia/templates/secret-db.yaml
new file mode 100644
index 0000000..b2c3199
--- /dev/null
+++ b/charts/octavia/templates/secret-db.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "octavia" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-ingress-tls.yaml b/charts/octavia/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..8d154ff
--- /dev/null
+++ b/charts/octavia/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "load_balancer" ) }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-keystone.yaml b/charts/octavia/templates/secret-keystone.yaml
new file mode 100644
index 0000000..f2883e0
--- /dev/null
+++ b/charts/octavia/templates/secret-keystone.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "octavia" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-rabbitmq.yaml b/charts/octavia/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..4ebd44d
--- /dev/null
+++ b/charts/octavia/templates/secret-rabbitmq.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "octavia" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/templates/service-api.yaml b/charts/octavia/templates/service-api.yaml
new file mode 100644
index 0000000..3e298e6
--- /dev/null
+++ b/charts/octavia/templates/service-api.yaml
@@ -0,0 +1,36 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "load_balancer" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: o-api
+      port: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+      nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/octavia/templates/service-ingress-api.yaml b/charts/octavia/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..a7a2592
--- /dev/null
+++ b/charts/octavia/templates/service-ingress-api.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "load_balancer" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/octavia/values.yaml b/charts/octavia/values.yaml
new file mode 100644
index 0000000..8ba4e7b
--- /dev/null
+++ b/charts/octavia/values.yaml
@@ -0,0 +1,686 @@
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for octavia.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  worker:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  housekeeping:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  health_manager:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  tags:
+    test: docker.io/xrally/xrally-openstack:2.0.0
+    bootstrap: docker.io/openstackhelm/heat:ocata
+    db_init: docker.io/openstackhelm/heat:ocata
+    octavia_db_sync: docker.io/loci/octavia:master-ubuntu
+    db_drop: docker.io/openstackhelm/heat:ocata
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:ocata
+    ks_service: docker.io/openstackhelm/heat:ocata
+    ks_endpoints: docker.io/openstackhelm/heat:ocata
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+    octavia_api: docker.io/loci/octavia:master-ubuntu
+    octavia_worker: docker.io/loci/octavia:master-ubuntu
+    octavia_housekeeping: docker.io/loci/octavia:master-ubuntu
+    octavia_health_manager: docker.io/loci/octavia:master-ubuntu
+    octavia_health_manager_init: docker.io/kolla/ubuntu-source-octavia-health-manager:rocky
+    openvswitch_vswitchd: docker.io/kolla/centos-source-openvswitch-vswitchd:rocky
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+bootstrap:
+  enabled: true
+  ks_user: admin
+  script: |
+    openstack role create --or-show load-balancer_admin
+    openstack role create --or-show load-balancer_observer
+    openstack role create --or-show load-balancer_global_observer
+    openstack role create --or-show load-balancer_quota_admin
+    openstack role create --or-show load-balancer_member
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30826
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - heat-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+        - octavia-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: network
+    worker:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+        - octavia-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: load_balancer
+    housekeeping:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+        - octavia-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: load_balancer
+    health_manager:
+      jobs:
+        - octavia-db-sync
+        - octavia-ks-user
+        - octavia-ks-endpoints
+        - octavia-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: oslo_cache
+        - endpoint: internal
+          service: network
+        - endpoint: internal
+          service: load_balancer
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - octavia-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    ks_endpoints:
+      jobs:
+        - octavia-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+      - endpoint: internal
+        service: oslo_messaging
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+conf:
+  octavia:
+    DEFAULT:
+      log_config_append: /etc/octavia/logging.conf
+    api_settings:
+      api_handler: queue_producer
+      bind_host: 0.0.0.0
+    database:
+      max_retries: -1
+    health_manager:
+      bind_port: 5555
+      bind_ip: 0.0.0.0
+      controller_ip_port_list: 0.0.0.0:5555
+      heartbeat_key: insecure
+    keystone_authtoken:
+      auth_type: password
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+    certificates:
+      ca_private_key_passphrase: foobar
+      ca_private_key: /etc/octavia/certs/private/cakey.pem
+      ca_certificate: /etc/octavia/certs/ca_01.pem
+    haproxy_amphora:
+      server_ca: /etc/octavia/certs/ca_01.pem
+      client_cert: /etc/octavia/certs/client.pem
+      base_path: /var/lib/octavia
+      base_cert_dir: /var/lib/octavia/certs
+      connection_max_retries: 1500
+      connection_retry_interval: 1
+      rest_request_conn_timeout: 10
+      rest_request_read_timeout: 120
+    controller_worker:
+      amp_image_owner_id: null
+      amp_secgroup_list: null
+      amp_flavor_id: null
+      amp_boot_network_list: null
+      amp_ssh_key_name: octavia_ssh_key
+      amp_image_tag: amphora
+      network_driver: allowed_address_pairs_driver
+      compute_driver: compute_nova_driver
+      amphora_driver: amphora_haproxy_rest_driver
+      workers: 2
+      amp_active_retries: 100
+      amp_active_wait_sec: 2
+      loadbalancer_topology: SINGLE
+    oslo_messaging:
+      topic: octavia_prov
+      rpc_thread_pool_size: 2
+    oslo_messaging_notifications:
+      driver: messagingv2
+    house_keeping:
+      load_balancer_expiry_age: 3600
+      amphora_expiry_age: 3600
+    service_auth:
+      auth_type: password
+      cafile: ""
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+  logging:
+    loggers:
+      keys:
+        - root
+        - octavia
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_octavia:
+      level: WARNING
+      handlers:
+        - stdout
+      qualname: octavia
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+    formatter_default:
+      format: "%(message)s"
+  rabbitmq:
+    # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+    policies:
+      - vhost: "octavia"
+        name: "ha_ttl_octavia"
+        definition:
+          # mirror messges to other nodes in rmq cluster
+          ha-mode: "all"
+          ha-sync-mode: "automatic"
+          # 70s
+          message-ttl: 70000
+        priority: 0
+        apply-to: all
+        pattern: '(notifications)\.'
+
+secrets:
+  identity:
+    admin: octavia-keystone-admin
+    octavia: octavia-keystone-user
+    test: octavia-keystone-test
+  oslo_db:
+    admin: octavia-db-admin
+    octavia: octavia-db-user
+  oslo_messaging:
+    admin: octavia-rabbitmq-admin
+    octavia: octavia-rabbitmq-user
+  tls:
+    load_balancer:
+      api:
+        public: octavia-tls-public
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      octavia:
+        role: admin
+        region_name: RegionOne
+        username: octavia
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      test:
+        role: admin
+        region_name: RegionOne
+        username: test
+        password: password
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 80
+        internal: 5000
+  load_balancer:
+    name: octavia
+    hosts:
+      default: octavia-api
+      public: octavia
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: http
+    port:
+      api:
+        default: 9876
+        public: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+      octavia:
+        username: octavia
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /octavia
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+      octavia:
+        username: octavia
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /octavia
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  network:
+    name: neutron
+    hosts:
+      default: neutron-server
+      public: neutron
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 9696
+        public: 80
+
+pod:
+  user:
+    octavia:
+      uid: 42424
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  mounts:
+    octavia_api:
+      init_container: null
+      octavia_api:
+        volumeMounts:
+        volumes:
+    octavia_worker:
+      init_container: null
+      octavia_worker:
+        volumeMounts:
+        volumes:
+    octavia_housekeeping:
+      init_container: null
+      octavia_housekeeping:
+        volumeMounts:
+        volumes:
+    octavia_health_manager:
+      init_container: null
+      octavia_health_manager:
+        volumeMounts:
+        volumes:
+    octavia_bootstrap:
+      init_container: null
+      octavia_bootstrap:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+    worker: 1
+    housekeeping: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        health_manager:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+    disruption_budget:
+      api:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    worker:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    housekeeping:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    health_manager:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+network_policy:
+  octavia:
+    ingress:
+      - {}
+
+manifests:
+  configmap_bin: true
+  configmap_etc: true
+  daemonset_health_manager: true
+  deployment_api: true
+  deployment_worker: true
+  deployment_housekeeping: true
+  ingress_api: true
+  job_bootstrap: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_rabbit_init: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  pdb_api: true
+  pod_rally_test: false
+  network_policy: false
+  secret_credential_keys: true
+  secret_db: true
+  secret_ingress_tls: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  service_ingress_api: true
+  service_api: true
+...
diff --git a/charts/openvswitch/.helmignore b/charts/openvswitch/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/openvswitch/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/openvswitch/Chart.yaml b/charts/openvswitch/Chart.yaml
new file mode 100644
index 0000000..ae2d963
--- /dev/null
+++ b/charts/openvswitch/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm OpenVSwitch
+home: http://openvswitch.org
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: openvswitch
+sources:
+- https://github.com/openvswitch/ovs
+- https://opendev.org/openstack/openstack-helm
+version: 0.1.10
diff --git a/charts/openvswitch/charts/helm-toolkit/Chart.yaml b/charts/openvswitch/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/openvswitch/charts/helm-toolkit/requirements.lock b/charts/openvswitch/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..08fae29
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2023-01-13T19:09:10.042747731Z"
diff --git a/charts/openvswitch/charts/helm-toolkit/requirements.yaml b/charts/openvswitch/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/openvswitch/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_template.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/values.yaml b/charts/openvswitch/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/openvswitch/requirements.lock b/charts/openvswitch/requirements.lock
new file mode 100644
index 0000000..8aa7258
--- /dev/null
+++ b/charts/openvswitch/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../helm-toolkit
+  version: 0.2.50
+digest: sha256:7bb7761d375d7b44849ba551843e572bf8ee2208775d55d4b742e799d0e81799
+generated: "2023-01-13T19:09:14.335000104Z"
diff --git a/charts/openvswitch/requirements.yaml b/charts/openvswitch/requirements.yaml
new file mode 100644
index 0000000..84f0aff
--- /dev/null
+++ b/charts/openvswitch/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+  - name: helm-toolkit
+    repository: file://../helm-toolkit
+    version: ">= 0.1.0"
+...
diff --git a/charts/openvswitch/templates/bin/_openvswitch-db-server.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-db-server.sh.tpl
new file mode 100644
index 0000000..c3c4845
--- /dev/null
+++ b/charts/openvswitch/templates/bin/_openvswitch-db-server.sh.tpl
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+OVS_DB=/run/openvswitch/conf.db
+OVS_SCHEMA=/usr/share/openvswitch/vswitch.ovsschema
+OVS_PID=/run/openvswitch/ovsdb-server.pid
+OVS_SOCKET=/run/openvswitch/db.sock
+
+function start () {
+  mkdir -p "$(dirname ${OVS_DB})"
+  if [[ ! -e "${OVS_DB}" ]]; then
+    ovsdb-tool create "${OVS_DB}"
+  fi
+
+  if [[ "$(ovsdb-tool needs-conversion ${OVS_DB} ${OVS_SCHEMA})" == 'yes' ]]; then
+      ovsdb-tool convert ${OVS_DB} ${OVS_SCHEMA}
+  fi
+
+  umask 000
+  exec /usr/sbin/ovsdb-server ${OVS_DB} \
+          -vconsole:emer \
+          -vconsole:err \
+          -vconsole:info \
+          --pidfile=${OVS_PID} \
+          --remote=punix:${OVS_SOCKET} \
+          --remote=db:Open_vSwitch,Open_vSwitch,manager_options \
+{{- if .Values.conf.openvswitch_db_server.ptcp_port }}
+          --remote=ptcp:{{ .Values.conf.openvswitch_db_server.ptcp_port }} \
+{{- end }}
+          --private-key=db:Open_vSwitch,SSL,private_key \
+          --certificate=db:Open_vSwitch,SSL,certificate \
+          --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert
+}
+
+function stop () {
+  PID=$(cat $OVS_PID)
+  ovs-appctl -T1 -t /run/openvswitch/ovsdb-server.${PID}.ctl exit
+}
+
+$COMMAND
diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl
new file mode 100644
index 0000000..6e4fdbb
--- /dev/null
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe openvswitch
+chroot /mnt/host-rootfs modprobe gre
+chroot /mnt/host-rootfs modprobe vxlan
+
+{{- if .Values.conf.ovs_dpdk.enabled }}
+{{- if hasKey .Values.conf.ovs_dpdk "driver"}}
+chroot /mnt/host-rootfs modprobe {{ .Values.conf.ovs_dpdk.driver | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
new file mode 100644
index 0000000..a1a29cc
--- /dev/null
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+OVS_SOCKET=/run/openvswitch/db.sock
+OVS_PID=/run/openvswitch/ovs-vswitchd.pid
+
+# Create vhostuser directory and grant nova user (default UID 42424) access
+# permissions.
+{{- if .Values.conf.ovs_dpdk.enabled }}
+mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+{{- end }}
+
+function start () {
+  t=0
+  while [ ! -e "${OVS_SOCKET}" ] ; do
+      echo "waiting for ovs socket $sock"
+      sleep 1
+      t=$(($t+1))
+      if [ $t -ge 10 ] ; then
+          echo "no ovs socket, giving up"
+          exit 1
+      fi
+  done
+
+  ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait show
+{{- if .Values.conf.ovs_hw_offload.enabled }}
+  ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:hw-offload={{ .Values.conf.ovs_hw_offload.enabled }}
+{{- end }}
+{{- if .Values.conf.ovs_other_config.handler_threads }}
+  ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:n-handler-threads={{ .Values.conf.ovs_other_config.handler_threads }}
+{{- end }}
+{{- if .Values.conf.ovs_other_config.revalidator_threads }}
+  ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:n-revalidator-threads={{ .Values.conf.ovs_other_config.revalidator_threads }}
+{{- end }}
+
+{{- if .Values.conf.ovs_dpdk.enabled }}
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-hugepage-dir={{ .Values.conf.ovs_dpdk.hugepages_mountpath | quote }}
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-socket-mem={{ .Values.conf.ovs_dpdk.socket_memory | quote }}
+
+{{- if .Values.conf.ovs_dpdk.mem_channels }}
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-mem-channels={{ .Values.conf.ovs_dpdk.mem_channels | quote }}
+{{- end }}
+
+{{- if hasKey .Values.conf.ovs_dpdk "pmd_cpu_mask" }}
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:pmd-cpu-mask={{ .Values.conf.ovs_dpdk.pmd_cpu_mask | quote }}
+    PMD_CPU_MASK={{ .Values.conf.ovs_dpdk.pmd_cpu_mask | quote }}
+{{- end }}
+
+{{- if hasKey .Values.conf.ovs_dpdk "lcore_mask" }}
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-lcore-mask={{ .Values.conf.ovs_dpdk.lcore_mask | quote }}
+    LCORE_MASK={{ .Values.conf.ovs_dpdk.lcore_mask | quote }}
+{{- end }}
+
+{{- if hasKey .Values.conf.ovs_dpdk "vhost_iommu_support" }}
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:vhost-iommu-support={{ .Values.conf.ovs_dpdk.vhost_iommu_support }}
+{{- end }}
+
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:vhost-sock-dir={{ .Values.conf.ovs_dpdk.vhostuser_socket_dir | quote }}
+    ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-init=true
+
+  # No need to create the cgroup if lcore_mask or pmd_cpu_mask is not set.
+  if [[ -n ${PMD_CPU_MASK} || -n ${LCORE_MASK} ]]; then
+      # Setup Cgroups to use when breaking out of Kubernetes defined groups
+      mkdir -p /sys/fs/cgroup/cpuset/osh-openvswitch
+      target_mems="/sys/fs/cgroup/cpuset/osh-openvswitch/cpuset.mems"
+      target_cpus="/sys/fs/cgroup/cpuset/osh-openvswitch/cpuset.cpus"
+
+      # Ensure the write target for the for cpuset.mem for the pod exists
+      if [[ -f "$target_mems" && -f "$target_cpus" ]]; then
+        # Write cpuset.mem and cpuset.cpus for new cgroup and add current task to new cgroup
+        cat /sys/fs/cgroup/cpuset/cpuset.mems > "$target_mems"
+        cat /sys/fs/cgroup/cpuset/cpuset.cpus > "$target_cpus"
+        echo $$ > /sys/fs/cgroup/cpuset/osh-openvswitch/tasks
+      else
+        echo "ERROR: Could not find write target for either cpuset.mems: $target_mems or cpuset.cpus: $target_cpus"
+      fi
+  fi
+{{- end }}
+
+  exec /usr/sbin/ovs-vswitchd unix:${OVS_SOCKET} \
+          -vconsole:emer \
+          -vconsole:err \
+          -vconsole:info \
+          --pidfile=${OVS_PID} \
+          --mlockall
+}
+
+function stop () {
+  PID=$(cat $OVS_PID)
+  ovs-appctl -T1 -t /run/openvswitch/ovs-vswitchd.${PID}.ctl exit
+}
+
+function poststart () {
+  # This enables the usage of 'ovs-appctl' from neutron-ovs-agent pod.
+
+  PID=$(cat $OVS_PID)
+  OVS_CTL=/run/openvswitch/ovs-vswitchd.${PID}.ctl
+  chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} ${OVS_CTL}
+}
+
+$COMMAND
diff --git a/charts/openvswitch/templates/configmap-bin.yaml b/charts/openvswitch/templates/configmap-bin.yaml
new file mode 100644
index 0000000..f6e8dc5
--- /dev/null
+++ b/charts/openvswitch/templates/configmap-bin.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: openvswitch-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+  openvswitch-db-server.sh: |
+{{ tuple "bin/_openvswitch-db-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  openvswitch-vswitchd.sh: |
+{{ tuple "bin/_openvswitch-vswitchd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  openvswitch-vswitchd-init-modules.sh: |
+{{ tuple "bin/_openvswitch-vswitchd-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/openvswitch/templates/daemonset.yaml b/charts/openvswitch/templates/daemonset.yaml
new file mode 100644
index 0000000..244ffb8
--- /dev/null
+++ b/charts/openvswitch/templates/daemonset.yaml
@@ -0,0 +1,260 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ovsdblivenessProbeTemplate" }}
+exec:
+  command:
+    - /usr/bin/ovs-vsctl
+    - show
+{{- end }}
+
+{{- define "ovsdbreadinessProbeTemplate" }}
+exec:
+  command:
+    - /usr/bin/ovs-vsctl
+    - list
+    - Open_Vswitch
+{{- end }}
+
+{{- define "ovsvswitchlivenessProbeTemplate" }}
+exec:
+  command:
+{{- if .Values.pod.probes.ovs.ovs_vswitch.liveness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.liveness.exec | toYaml | indent 4 }}
+{{- else }}
+    - /usr/bin/ovs-appctl
+    - bond/list
+{{- end }}
+{{- end }}
+
+{{- define "ovsvswitchreadinessProbeTemplate" }}
+exec:
+  command:
+{{- if .Values.pod.probes.ovs.ovs_vswitch.readiness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.readiness.exec | toYaml | indent 4 }}
+{{- else if not .Values.conf.ovs_dpdk.enabled }}
+    - /bin/bash
+    - -c
+    - '/usr/bin/ovs-vsctl show'
+{{- else }}
+    - /bin/bash
+    - -c
+    - '/usr/bin/ovs-vsctl show && ! /usr/bin/ovs-vsctl list Open_vSwitch | grep -q dpdk_initialized.*false'
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset }}
+{{- $envAll := . }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openvswitch
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "ovs" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "openvswitch" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      shareProcessNamespace: true
+{{ dict "envAll" $envAll "application" "ovs" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.openvswitch.enabled }}
+{{ tuple $envAll "openvswitch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      dnsPolicy: {{ .Values.pod.dns_policy }}
+      hostNetwork: true
+      initContainers:
+{{ tuple $envAll "ovs" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: openvswitch-db-perms
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - chown
+            - -R
+            - {{ $envAll.Values.pod.security_context.ovs.container.server.runAsUser | quote }}
+            - /run/openvswitch
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: run-openvswitch
+              mountPath: /run/openvswitch
+        - name: openvswitch-vswitchd-modules
+{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/openvswitch-vswitchd-init-modules.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: openvswitch-bin
+              mountPath: /tmp/openvswitch-vswitchd-init-modules.sh
+              subPath: openvswitch-vswitchd-init-modules.sh
+              readOnly: true
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              mountPropagation: HostToContainer
+              readOnly: true
+      containers:
+        - name: openvswitch-db
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "liveness" "probeTemplate" (include "ovsdblivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "readiness" "probeTemplate" (include "ovsdbreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/openvswitch-db-server.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/openvswitch-db-server.sh
+                  - stop
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: openvswitch-bin
+              mountPath: /tmp/openvswitch-db-server.sh
+              subPath: openvswitch-db-server.sh
+              readOnly: true
+            - name: run
+              mountPath: /run
+        - name: openvswitch-vswitchd
+{{- if .Values.conf.ovs_dpdk.enabled }}
+{{/* Run the container in priviledged mode due to the need for root
+permissions when using the uio_pci_generic driver. */}}
+{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{/* Limiting CPU cores would severely affect packet throughput
+It should be handled through lcore and pmd core masks. */}}
+{{- if .Values.pod.resources.enabled }}
+{{ $_ := unset $envAll.Values.pod.resources.ovs.vswitchd.requests "cpu" }}
+{{ $_ := unset $envAll.Values.pod.resources.ovs.vswitchd.limits "cpu" }}
+{{- end }}
+{{- end }}
+{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          # ensures this container can speak to the ovs database
+          # successfully before its marked as ready
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/openvswitch-vswitchd.sh
+            - start
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  - /tmp/openvswitch-vswitchd.sh
+                  - poststart
+            preStop:
+              exec:
+                command:
+                  - /tmp/openvswitch-vswitchd.sh
+                  - stop
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: openvswitch-bin
+              mountPath: /tmp/openvswitch-vswitchd.sh
+              subPath: openvswitch-vswitchd.sh
+              readOnly: true
+            - name: run
+              mountPath: /run
+{{- if .Values.conf.ovs_dpdk.enabled }}
+            - name: hugepages
+              mountPath: {{ .Values.conf.ovs_dpdk.hugepages_mountpath | quote }}
+            - name: pci-devices
+              mountPath: /sys/bus/pci/devices
+            - name: huge-pages-kernel
+              mountPath: /sys/kernel/mm/hugepages
+            - name: node-devices
+              mountPath: /sys/devices/system/node
+            - name: modules
+              mountPath: /lib/modules
+            - name: devs
+              mountPath: /dev
+            - name: pci-drivers
+              mountPath: /sys/bus/pci/drivers
+            - name: cgroup
+              mountPath: /sys/fs/cgroup
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: openvswitch-bin
+          configMap:
+            name: openvswitch-bin
+            defaultMode: 0555
+        - name: run
+          hostPath:
+            path: /run
+            type: Directory
+        - name: run-openvswitch
+          hostPath:
+            path: /run/openvswitch
+            type: DirectoryOrCreate
+        - name: host-rootfs
+          hostPath:
+            path: /
+            type: Directory
+{{- if .Values.conf.ovs_dpdk.enabled }}
+        - name: devs
+          hostPath:
+            path: /dev
+            type: Directory
+        - name: pci-devices
+          hostPath:
+            path: /sys/bus/pci/devices
+            type: Directory
+        - name: huge-pages-kernel
+          hostPath:
+            path: /sys/kernel/mm/hugepages
+            type: Directory
+        - name: node-devices
+          hostPath:
+            path: /sys/devices/system/node
+            type: Directory
+        - name: modules
+          hostPath:
+            path: /lib/modules
+            type: Directory
+        - name: pci-drivers
+          hostPath:
+            path: /sys/bus/pci/drivers
+            type: Directory
+        - name: hugepages
+          hostPath:
+            path: {{ .Values.conf.ovs_dpdk.hugepages_mountpath | quote }}
+            type: Directory
+        - name: cgroup
+          hostPath:
+            path: /sys/fs/cgroup
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/templates/job-image-repo-sync.yaml b/charts/openvswitch/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..765061c
--- /dev/null
+++ b/charts/openvswitch/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "openvswitch" -}}
+{{- if .Values.pod.tolerations.openvswitch.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/openvswitch/templates/network-policy.yaml b/charts/openvswitch/templates/network-policy.yaml
new file mode 100644
index 0000000..751e0e0
--- /dev/null
+++ b/charts/openvswitch/templates/network-policy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "openvswitch" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/openvswitch/templates/secret-registry.yaml b/charts/openvswitch/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/openvswitch/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/openvswitch/values.yaml b/charts/openvswitch/values.yaml
new file mode 100644
index 0000000..b131faa
--- /dev/null
+++ b/charts/openvswitch/values.yaml
@@ -0,0 +1,235 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for openvswitch.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+images:
+  tags:
+    openvswitch_db_server: docker.io/openstackhelm/openvswitch:latest-ubuntu_bionic
+    openvswitch_vswitchd: docker.io/openstackhelm/openvswitch:latest-ubuntu_bionic
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/library/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+labels:
+  ovs:
+    node_selector_key: openvswitch
+    node_selector_value: enabled
+
+pod:
+  tolerations:
+    openvswitch:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+  probes:
+    ovs:
+      ovs_db:
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 5
+        readiness:
+          enabled: true
+          params:
+            initialDelaySeconds: 90
+            periodSeconds: 30
+            timeoutSeconds: 5
+      ovs_vswitch:
+        liveness:
+          enabled: true
+          params:
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 5
+        readiness:
+          enabled: true
+          params:
+            failureThreshold: 3
+            periodSeconds: 10
+            timeoutSeconds: 1
+  security_context:
+    ovs:
+      pod:
+        runAsUser: 42424
+      container:
+        perms:
+          runAsUser: 0
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        server:
+          runAsUser: 42424
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        modules:
+          runAsUser: 0
+          capabilities:
+            add:
+              - SYS_MODULE
+              - SYS_CHROOT
+          readOnlyRootFilesystem: true
+        vswitchd:
+          runAsUser: 0
+          capabilities:
+            add:
+              - NET_ADMIN
+          readOnlyRootFilesystem: true
+  dns_policy: "ClusterFirstWithHostNet"
+  lifecycle:
+    upgrades:
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        ovs:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+  resources:
+    enabled: false
+    ovs:
+      db:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      vswitchd:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          # set resources to enabled and specify one of the following when using dpdk
+          # hugepages-1Gi: "1Gi"
+          # hugepages-2Mi: "512Mi"
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+  user:
+    nova:
+      uid: 42424
+
+secrets:
+  oci_image_registry:
+    openvswitch: openvswitch-oci-image-registry-key
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      openvswitch:
+        username: openvswitch
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+
+network_policy:
+  openvswitch:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - openvswitch-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    ovs: null
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+manifests:
+  configmap_bin: true
+  daemonset: true
+  daemonset_ovs_vswitchd: true
+  job_image_repo_sync: true
+  network_policy: false
+  secret_registry: true
+
+conf:
+  openvswitch_db_server:
+    ptcp_port: null
+  ovs_other_config:
+    handler_threads: null
+    revalidator_threads: null
+  ovs_hw_offload:
+    enabled: false
+  ovs_dpdk:
+    enabled: false
+    ## Mandatory parameters. Please uncomment when enabling DPDK
+    # socket_memory: 1024
+    # hugepages_mountpath: /dev/hugepages
+    # vhostuser_socket_dir: vhostuser
+    #
+    ## Optional hardware specific parameters: modify to match NUMA topology
+    # mem_channels: 4
+    # lcore_mask: 0x1
+    # pmd_cpu_mask: 0x4
+    #
+    ## Optional driver to use. Driver name should be the same as the one
+    ## specified in the ovs_dpdk section in the Neutron values and vice versa
+    # driver: vfio-pci
+    #
+    ## Optional security feature
+    #     vHost IOMMU feature restricts the vhost memory that a virtio device
+    #     access, available with DPDK v17.11
+    # vhost_iommu_support: true
+...
diff --git a/charts/placement/Chart.yaml b/charts/placement/Chart.yaml
new file mode 100644
index 0000000..23f8ccf
--- /dev/null
+++ b/charts/placement/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Placement
+home: https://docs.openstack.org/placement/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: placement
+sources:
+- https://opendev.org/openstack/placement
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.10
diff --git a/charts/placement/charts/helm-toolkit/Chart.yaml b/charts/placement/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..4f9e6e5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.46
diff --git a/charts/placement/charts/helm-toolkit/requirements.yaml b/charts/placement/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..70e64cc
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.kibana.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f fd ]]; then
+      rm -f fd
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/placement/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_template.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/values.yaml b/charts/placement/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/placement/requirements.lock b/charts/placement/requirements.lock
new file mode 100644
index 0000000..dd3e146
--- /dev/null
+++ b/charts/placement/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.46
+digest: sha256:4baae4035ac4ec09ff414ac48d8f1e3f030d1ce1629727cb1ff24d44ffa000f1
+generated: "2022-08-16T23:07:28.301383965Z"
diff --git a/charts/placement/requirements.yaml b/charts/placement/requirements.yaml
new file mode 100644
index 0000000..639dab0
--- /dev/null
+++ b/charts/placement/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 Intel Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/placement/templates/bin/_db-migrate.sh.tpl b/charts/placement/templates/bin/_db-migrate.sh.tpl
new file mode 100644
index 0000000..838e05f
--- /dev/null
+++ b/charts/placement/templates/bin/_db-migrate.sh.tpl
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# To make this migration idempotent and not break the chart deployment,
+# we will treat a new deployment ($?==4) and migration completed ($?==3)
+# as success so things can proceed.
+function handler {
+  rv=$?
+  if [ $rv -eq 4 ] || [ $rv -eq 3 ]; then
+    exit 0
+  else
+    exit $rv
+  fi
+}
+
+trap handler EXIT
+
+/tmp/mysql-migrate-db.sh --mkconfig /tmp/migrate-db.rc
+
+sed -i \
+  -e "s/NOVA_API_USER=.*/NOVA_API_USER=\"${NOVA_API_USER}\"/g" \
+  -e "s/NOVA_API_PASS=.*/NOVA_API_PASS=\"${NOVA_API_PASS}\"/g" \
+  -e "s/NOVA_API_DB_HOST=.*/NOVA_API_DB_HOST=\"${NOVA_API_DB_HOST}\"/g" \
+  -e "s/PLACEMENT_USER=.*/PLACEMENT_USER=\"${PLACEMENT_USER}\"/g" \
+  -e "s/PLACEMENT_PASS=.*/PLACEMENT_PASS=\"${PLACEMENT_PASS}\"/g" \
+  -e "s/PLACEMENT_DB_HOST=.*/PLACEMENT_DB_HOST=\"${PLACEMENT_DB_HOST}\"/g" \
+  /tmp/migrate-db.rc
+
+/tmp/mysql-migrate-db.sh --migrate /tmp/migrate-db.rc
diff --git a/charts/placement/templates/bin/_db-sync.sh.tpl b/charts/placement/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..48857b8
--- /dev/null
+++ b/charts/placement/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+placement-manage db sync
diff --git a/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl b/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl
new file mode 100644
index 0000000..a87ebaf
--- /dev/null
+++ b/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl
@@ -0,0 +1,328 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This script will attempt to migrate your nova-api placement data to
+# a new placement database. Run it with --help for usage, and --mkconfig
+# to write a template config file to use.
+
+# Defaults we can guess
+DEFAULT_MIGRATE_TABLES="allocations placement_aggregates consumers inventories projects "
+DEFAULT_MIGRATE_TABLES+="resource_classes resource_provider_aggregates resource_provider_traits "
+DEFAULT_MIGRATE_TABLES+="resource_providers traits users "
+MIGRATE_TABLES=${MIGRATE_TABLES:-$DEFAULT_MIGRATE_TABLES}
+PLACEMENT_DB_HOST=${PLACEMENT_DB_HOST:-localhost}
+PLACEMENT_DB=${PLACEMENT_DB:-placement}
+NOVA_API_DB_HOST=${NOVA_API_DB_HOST:-localhost}
+NOVA_API_DB=${NOVA_API_DB:-nova_api}
+TMPDIR=${TMPDIR:-/tmp}
+LAST_MYSQL_ERR=${TMPDIR}/migrate-mysql-db.err
+INITIAL_PLACEMENT_DB_VERSION=${INITIAL_DB_VERSION:-b4ed3a175331}
+ME=$(basename "$0")
+
+declare -a ARGS
+declare -a OPTS
+
+function getflag() {
+    # Return true if --$flag is present on the command line
+    # Usage: getflag help -> 0
+    local flag="$1"
+    for opt in ${OPTS[*]}; do
+        if [ "$opt" == "--${flag}" ]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+function parse_argv() {
+    # Parse command line arguments into positional arguments and
+    # option flags. Store each in $ARGS, $OPTS.
+    # Usage: parse_argv $*
+    for item in $*; do
+        if echo $item | grep -q -- '^--'; then
+            OPTS+=($item)
+        else
+            ARGS+=($item)
+        fi
+    done
+}
+
+function db_var() {
+    # Return an attribute of database config based on the symbolic
+    # name
+    # Usage: db_var PLACEMENT USER -> $PLACEMENT_USER
+    local db="$1"
+    local var="$2"
+
+    eval echo "\$${db}_${var}"
+}
+
+function mysql_command() {
+    # Run a mysql command with the usual connection information taken
+    # from a symbolic configuration name
+    # Usage: mysql_command PLACEMENT [command] [args..] -> stdout
+    local whichdb="$1"
+    shift
+    local command=mysql
+    if [ "$2" ]; then
+        command=${1:-mysql}
+        shift
+    fi
+    local db=$(db_var $whichdb DB)
+    local host=$(db_var $whichdb DB_HOST)
+    local user=$(db_var $whichdb USER)
+    local pass=$(db_var $whichdb PASS)
+
+    if [ "$command" = "mysql" ]; then
+        command="mysql --skip-column-names"
+    fi
+
+    if [ ! -z "$MARIADB_X509" ]; then
+        local ca=/etc/mysql/certs/ca.crt
+        local cert=/etc/mysql/certs/tls.crt
+        local key=/etc/mysql/certs/tls.key
+        $command -h$host -u$user -p$pass $db --ssl-ca=$ca --ssl-cert=$cert --ssl-key=$key $* 2>$LAST_MYSQL_ERR
+    else
+        $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR
+    fi
+}
+
+function show_error() {
+    # Prints the last error (if present) and removes the temporary
+    # file
+    if [ -f $LAST_MYSQL_ERR ]; then
+        cat $LAST_MYSQL_ERR
+        rm -f $LAST_MYSQL_ERR
+    fi
+}
+
+function check_db() {
+    # Check a DB to see if it's missing, present, filled with data
+    # Returns 0 if it is present with data, 1 if present but no data
+    # or 2 if not present (or unable to connect)
+    # Usage: check_db PLACEMENT -> 0
+    local whichdb="$1"
+
+    local inv
+    local inv_count
+
+    if ! echo "SELECT DATABASE()" | mysql_command $whichdb >/dev/null 2>&1; then
+        echo "Failed to connect to $whichdb database"
+        show_error
+        return 2
+    fi
+
+    inv=$(echo "SELECT COUNT(id) FROM inventories" |
+              mysql_command $whichdb)
+    if [ $? -ne 0 ]; then
+        # No schema
+        return 1
+    fi
+
+    inv_count=$(echo $inv | tail -n1)
+    if [ $inv_count -gt 0 ]; then
+        # Data found
+        return 0
+    else
+        # No data found, but schema intact
+        return 1
+    fi
+}
+
+function check_cli() {
+    # Returns 0 if placement cli is installed and configured,
+    # 1 if it is not installed, or 2 if the access to the
+    # placement database fails
+    # Usage: check_cli -> 0
+    placement-manage --version > /dev/null 2>&1
+
+    if [ $? -ne 0 ]; then
+        # placement not installed
+        return 1
+    fi
+
+    placement-manage db version > /dev/null 2>&1
+
+    if [ $? -ne 0 ]; then
+        # DB connection fails
+        return 2
+    fi
+}
+
+function migrate_data() {
+    # Actually migrate data from a source to destination symbolic
+    # database. Returns 1 if failure, 0 otherwise.
+    # Usage: migrate_data NOVA_API PLACEMENT -> 0
+    local source="$1"
+    local dest="$2"
+    local dump_flags="$3"
+    local tmpdir=$(mktemp -d migrate-db.XXXXXXXX)
+    local tmpfile="${tmpdir}/from-nova.sql"
+
+    echo "Dumping from $source to $tmpfile"
+    mysql_command $source mysqldump $dump_flags $MIGRATE_TABLES > $tmpfile || {
+        echo 'Failed to dump source database:'
+        show_error
+        return 1
+    }
+    echo "Loading to $dest from $tmpfile"
+    mysql_command $dest < $tmpfile || {
+        echo 'Failed to load destination database:'
+        show_error
+        return 1
+    }
+}
+
+function sanity_check_env() {
+    # Check that we have everything we need to examine the situation
+    # and potentially do the migration. Loads values from the rcfile,
+    # if present. Returns 1 if a config was not found, 2 if that
+    # config is incomplete or 0 if everything is good.
+    # Usage: sanity_check_env $rcfile -> 0
+
+    RCFILE="${1:-migrate-db.rc}"
+    if [ "$RCFILE" = '-' ]; then
+        # Don't require a file and assume everything is already
+        # set in the environment
+        true
+    elif [ ! -f "$RCFILE" ]; then
+        echo -n 'ERROR: Specify an RC file on the command line or create '
+        echo 'migrate-db.rc in the current directory'
+        echo
+        show_help
+    else
+        source $RCFILE
+    fi
+
+    required="NOVA_API_DB NOVA_API_USER NOVA_API_PASS PLACEMENT_DB PLACEMENT_USER PLACEMENT_PASS"
+    for var in $required; do
+        value=$(eval echo "\$$var")
+        if [ -z "$value" ]; then
+            echo "A value for $var was not provided but is required"
+            return 2
+        fi
+    done
+}
+
+function make_config() {
+    # Create or update a config file with defaults we know. Either use
+    # the default migrate-db.rc or the file specified on the command
+    # line.
+    RCFILE="${1:-migrate-db.rc}"
+    if [ -f "$RCFILE" ]; then
+        source $RCFILE
+    fi
+
+    vars="NOVA_API_DB NOVA_API_USER NOVA_API_PASS NOVA_API_DB_HOST "
+    vars+="PLACEMENT_DB PLACEMENT_USER PLACEMENT_PASS PLACEMENT_DB_HOST "
+    vars+="MIGRATE_TABLES"
+
+    (for var in $vars; do
+         val=$(eval echo "\$$var")
+         echo "${var}=\"$val\""
+     done) > $RCFILE
+
+    echo Wrote $(readlink -f $RCFILE)
+}
+
+function show_help() {
+    echo "Usage: $ME [flags] [rcfile]"
+    echo
+    echo "Flags:"
+    echo "    --help: this text"
+    echo "    --migrate: actually do data migration"
+    echo "    --mkconfig: write/update config to \$rcfile"
+    echo "    --skip-locks: don't use table locks for data migration"
+    echo
+    echo "Pass '-' as \$rcfile if all config values are set in"
+    echo "the environment."
+    echo
+    echo "Exit codes:"
+    echo "    0: Success"
+    echo "    1: Usage error"
+    echo "    2: Configuration missing or incomplete"
+    echo "    3: Migration already completed"
+    echo "    4: No data to migrate from nova (new deployment)"
+    echo "    5: Unable to connect to one or both databases"
+    echo "    6: Unable to execute placement's CLI commands"
+    exit 0
+}
+
+parse_argv $*
+
+if getflag help; then
+    show_help
+fi
+
+if getflag mkconfig; then
+    make_config $ARGS
+    exit 0
+fi
+
+#
+# Actual migration logic starts here
+#
+
+# Sanity check that we have what we need or bail
+sanity_check_env $ARGS || exit $?
+
+# Check the state of each database we care about
+check_db NOVA_API
+nova_present=$?
+check_db PLACEMENT
+placement_present=$?
+check_cli
+placement_cli=$?
+
+# Try to come up with a good reason to refuse to migrate
+if [ $nova_present -eq 0 -a $placement_present -eq 0 ]; then
+    echo "Migration has already completed. The placement database appears to have data."
+    exit 3
+elif [ $nova_present -eq 1 ]; then
+    echo "No data present in nova database - nothing to migrate (new deployment?)"
+    exit 4
+elif [ $nova_present -eq 2 ]; then
+    echo "Unable to proceed without connection to nova database"
+    exit 5
+elif [ $placement_present -eq 2 ]; then
+    echo "Unable to proceed without connection to placement database"
+    exit 5
+elif [ $placement_cli -eq 1 ]; then
+    echo "Unable to proceed without placement installed"
+    exit 6
+elif [ $placement_cli -eq 2 ]; then
+    echo "The 'placement-manage db version' command fails"
+    echo "Is placement.conf configured to access the new database?"
+    exit 6
+fi
+
+# If we get here, we expect to be able to migrate. Require them to opt into
+# actual migration before we do anything.
+
+echo Nova database contains data, placement database does not. Okay to proceed with migration
+
+if getflag migrate $*; then
+    if getflag skip-locks $*; then
+        migrate_data NOVA_API PLACEMENT "--skip-lock-tables --skip-add-locks"
+    else
+        migrate_data NOVA_API PLACEMENT
+    fi
+    placement-manage db stamp $INITIAL_PLACEMENT_DB_VERSION
+else
+    echo "To actually migrate, run me with --migrate"
+fi
+
+rm -f $LAST_MYSQL_ERR
diff --git a/charts/placement/templates/bin/_placement-api.sh.tpl b/charts/placement/templates/bin/_placement-api.sh.tpl
new file mode 100644
index 0000000..2b1b12d
--- /dev/null
+++ b/charts/placement/templates/bin/_placement-api.sh.tpl
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+
+  cp -a $(type -p placement-api) /var/www/cgi-bin/placement/
+
+  if [ -f /etc/apache2/envvars ]; then
+    # Loading Apache2 ENV variables
+    source /etc/apache2/envvars
+    # The directory below has to be created due to the fact that
+    # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi
+    mkdir -p ${APACHE_RUN_DIR}
+  fi
+
+  # Get rid of stale pid file if present.
+  rm -f /var/run/apache2/*.pid
+
+  # Start Apache2
+  {{- if .Values.conf.software.apache2.a2enmod }}
+    {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.conf.software.apache2.a2dismod }}
+    {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+    {{- end }}
+  {{- end }}
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+  if [ -f /etc/apache2/envvars ]; then
+    source /etc/apache2/envvars
+  fi
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/placement/templates/certificates.yaml b/charts/placement/templates/certificates.yaml
new file mode 100644
index 0000000..ada7fde
--- /dev/null
+++ b/charts/placement/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/placement/templates/configmap-bin.yaml b/charts/placement/templates/configmap-bin.yaml
new file mode 100644
index 0000000..4fc59ce
--- /dev/null
+++ b/charts/placement/templates/configmap-bin.yaml
@@ -0,0 +1,43 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: placement-bin
+data:
+  placement-api.sh: |
+{{ tuple "bin/_placement-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  db-migrate.sh: |
+{{ tuple "bin/_db-migrate.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  mysql-migrate-db.sh: |
+{{ tuple "bin/_mysql-migrate-db.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/placement/templates/configmap-etc.yaml b/charts/placement/templates/configmap-etc.yaml
new file mode 100644
index 0000000..c5880af
--- /dev/null
+++ b/charts/placement/templates/configmap-etc.yaml
@@ -0,0 +1,71 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.placement.placement_database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.placement.placement_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.placement.placement_database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.placement.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.placement.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.placement.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.placement.keystone_authtoken.os_region_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "os_region_name" .Values.endpoints.identity.auth.placement.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "project_name" .Values.endpoints.identity.auth.placement.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.placement.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.placement.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "username" .Values.endpoints.identity.auth.placement.username -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "password" .Values.endpoints.identity.auth.placement.password -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.placement.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: placement-etc
+type: Opaque
+data:
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+  placement.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.placement | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-placement.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
diff --git a/charts/placement/templates/deployment.yaml b/charts/placement/templates/deployment.yaml
new file mode 100644
index 0000000..9dcde00
--- /dev/null
+++ b/charts/placement/templates/deployment.yaml
@@ -0,0 +1,136 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+
+{{- $mounts_placement := .Values.pod.mounts.placement.placement }}
+{{- $mounts_placement_init := .Values.pod.mounts.placement.init_container }}
+
+{{- $serviceAccountName := "placement-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: placement-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "placement-api" "containerNames" (list "placement-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "placement" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      affinity:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.placement.enabled }}
+{{ tuple $envAll "placement" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_placement_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: placement-api
+{{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/placement-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/placement-api.sh
+                  - stop
+          ports:
+            - name: p-api
+              containerPort: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            # NOTE(portdirect): use tcpSocket check as HTTP will return 401
+            tcpSocket:
+              port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 50
+            periodSeconds: 10
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: wsgi-placement
+              mountPath: /var/www/cgi-bin/placement
+            - name: placement-bin
+              mountPath: /tmp/placement-api.sh
+              subPath: placement-api.sh
+              readOnly: true
+            - name: placement-etc
+              mountPath: /etc/placement/placement.conf
+              subPath: placement.conf
+              readOnly: true
+            {{- if .Values.conf.placement.DEFAULT.log_config_append }}
+            - name: placement-etc
+              mountPath: {{ .Values.conf.placement.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.placement.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: placement-etc
+              mountPath: /etc/placement/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+            - name: placement-etc
+              mountPath: /etc/apache2/conf-enabled/wsgi-placement.conf
+              subPath: wsgi-placement.conf
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: wsgi-placement
+          emptyDir: {}
+        - name: placement-bin
+          configMap:
+            name: placement-bin
+            defaultMode: 0555
+        - name: placement-etc
+          secret:
+            secretName: placement-etc
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/placement/templates/ingress.yaml b/charts/placement/templates/ingress.yaml
new file mode 100644
index 0000000..68ce111
--- /dev/null
+++ b/charts/placement/templates/ingress.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress .Values.network.api.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "placement" "backendPort" "p-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.placement.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-drop.yaml b/charts/placement/templates/job-db-drop.yaml
new file mode 100644
index 0000000..f6e26e7
--- /dev/null
+++ b/charts/placement/templates/job-db-drop.yaml
@@ -0,0 +1,27 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "placement" -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-init.yaml b/charts/placement/templates/job-db-init.yaml
new file mode 100644
index 0000000..6edd417
--- /dev/null
+++ b/charts/placement/templates/job-db-init.yaml
@@ -0,0 +1,37 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "placement" -}}
+{{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "placement_database" "configDbKey" "connection" -}}
+{{- $dbsToInit := list $dbApi }}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-migrate.yaml b/charts/placement/templates/job-db-migrate.yaml
new file mode 100644
index 0000000..1b7f863
--- /dev/null
+++ b/charts/placement/templates/job-db-migrate.yaml
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_migrate }}
+{{- $envAll := . }}
+{{- $serviceAccountName := "placement-db-migrate" -}}
+{{- $service := "db_migrate" -}}
+{{ tuple $envAll $service $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: placement-db-migrate
+  labels:
+{{ tuple $envAll "placement" "db-migrate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+{{- if .Values.helm3_hook }}
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "-4"
+{{- end }}
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "placement" $service  | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "placement-db-migrate" "containerNames" (list "placement-mysql-migration" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "placement" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.placement.enabled }}
+{{ tuple $envAll "placement" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      initContainers:
+{{ tuple $envAll $service list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: placement-mysql-migration
+{{ tuple $envAll $service | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "placement" "container" "placement_mysql_migration" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/db-migrate.sh
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: NOVA_API_USER
+              value: {{ .Values.endpoints.oslo_db.auth.nova_api.username | quote }}
+            - name: NOVA_API_PASS
+              value: {{ .Values.endpoints.oslo_db.auth.nova_api.password | quote }}
+            - name: NOVA_API_DB_HOST
+              value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
+            - name: PLACEMENT_USER
+              value: {{ .Values.endpoints.oslo_db.auth.placement.username | quote }}
+            - name: PLACEMENT_PASS
+              value: {{ .Values.endpoints.oslo_db.auth.placement.password | quote }}
+            - name: PLACEMENT_DB_HOST
+              value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: placement-bin
+              mountPath: /tmp/mysql-migrate-db.sh
+              subPath: mysql-migrate-db.sh
+              readOnly: true
+            - name: placement-bin
+              mountPath: /tmp/db-migrate.sh
+              subPath: db-migrate.sh
+              readOnly: true
+            - name: placement-etc
+              mountPath: /etc/placement/placement.conf
+              subPath: placement.conf
+              readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: placement-bin
+          configMap:
+            name: placement-bin
+            defaultMode: 0555
+        - name: placement-etc
+          secret:
+            secretName: placement-etc
+            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-sync.yaml b/charts/placement/templates/job-db-sync.yaml
new file mode 100644
index 0000000..fea53d9
--- /dev/null
+++ b/charts/placement/templates/job-db-sync.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "placement" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/placement/templates/job-image-repo-sync.yaml b/charts/placement/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..2cda817
--- /dev/null
+++ b/charts/placement/templates/job-image-repo-sync.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "placement" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/placement/templates/job-ks-endpoints.yaml b/charts/placement/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..111ba33
--- /dev/null
+++ b/charts/placement/templates/job-ks-endpoints.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/placement/templates/job-ks-service.yaml b/charts/placement/templates/job-ks-service.yaml
new file mode 100644
index 0000000..10e45bd
--- /dev/null
+++ b/charts/placement/templates/job-ks-service.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/placement/templates/job-ks-user.yaml b/charts/placement/templates/job-ks-user.yaml
new file mode 100644
index 0000000..2c1a002
--- /dev/null
+++ b/charts/placement/templates/job-ks-user.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/placement/templates/network_policy.yaml b/charts/placement/templates/network_policy.yaml
new file mode 100644
index 0000000..d4d209e
--- /dev/null
+++ b/charts/placement/templates/network_policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/placement/templates/pdb.yaml b/charts/placement/templates/pdb.yaml
new file mode 100644
index 0000000..3d17a82
--- /dev/null
+++ b/charts/placement/templates/pdb.yaml
@@ -0,0 +1,29 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: placement-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/placement/templates/secret-db.yaml b/charts/placement/templates/secret-db.yaml
new file mode 100644
index 0000000..91beb97
--- /dev/null
+++ b/charts/placement/templates/secret-db.yaml
@@ -0,0 +1,35 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "placement" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection :=  tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/templates/secret-ingress-tls.yaml b/charts/placement/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..49931c5
--- /dev/null
+++ b/charts/placement/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "placement" ) }}
+{{- end }}
diff --git a/charts/placement/templates/secret-keystone.yaml b/charts/placement/templates/secret-keystone.yaml
new file mode 100644
index 0000000..ce24aa2
--- /dev/null
+++ b/charts/placement/templates/secret-keystone.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "placement" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/templates/secret-registry.yaml b/charts/placement/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/placement/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/placement/templates/service-ingress.yaml b/charts/placement/templates/service-ingress.yaml
new file mode 100644
index 0000000..1eb19c2
--- /dev/null
+++ b/charts/placement/templates/service-ingress.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "placement" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/placement/templates/service.yaml b/charts/placement/templates/service.yaml
new file mode 100644
index 0000000..3d9bd01
--- /dev/null
+++ b/charts/placement/templates/service.yaml
@@ -0,0 +1,36 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "placement" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: p-api
+    port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+    nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/placement/values.yaml b/charts/placement/values.yaml
new file mode 100644
index 0000000..578d947
--- /dev/null
+++ b/charts/placement/values.yaml
@@ -0,0 +1,536 @@
+# Copyright 2019 Intel Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for openstack-placement.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+---
+release_group: null
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  pull_policy: IfNotPresent
+  tags:
+    placement: docker.io/openstackhelm/placement:stein-ubuntu_bionic
+    ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    db_migrate: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic
+    placement_db_sync: docker.io/openstackhelm/placement:stein-ubuntu_bionic
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+network:
+  api:
+    port: 8778
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30778
+
+conf:
+  software:
+    apache2:
+      binary: apache2
+      start_parameters: -DFOREGROUND
+      # Enable/Disable modules
+      # a2enmod:
+      #   - headers
+      #   - rewrite
+      # a2dismod:
+      #   - status
+      a2enmod: null
+      a2dismod: null
+  policy:
+    "context_is_admin": "role:admin"
+    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
+    "default": "rule:admin_or_owner"
+    "admin_api": "role:admin"
+    "placement:resource_providers:list": "rule:admin_api"
+    "placement:resource_providers:create": "rule:admin_api"
+    "placement:resource_providers:show": "rule:admin_api"
+    "placement:resource_providers:update": "rule:admin_api"
+    "placement:resource_providers:delete": "rule:admin_api"
+    "placement:resource_classes:list": "rule:admin_api"
+    "placement:resource_classes:create": "rule:admin_api"
+    "placement:resource_classes:show": "rule:admin_api"
+    "placement:resource_classes:update": "rule:admin_api"
+    "placement:resource_classes:delete": "rule:admin_api"
+    "placement:resource_providers:inventories:list": "rule:admin_api"
+    "placement:resource_providers:inventories:create": "rule:admin_api"
+    "placement:resource_providers:inventories:show": "rule:admin_api"
+    "placement:resource_providers:inventories:update": "rule:admin_api"
+    "placement:resource_providers:inventories:delete": "rule:admin_api"
+    "placement:resource_providers:aggregates:list": "rule:admin_api"
+    "placement:resource_providers:aggregates:update": "rule:admin_api"
+    "placement:resource_providers:usages": "rule:admin_api"
+    "placement:usages": "rule:admin_api"
+    "placement:traits:list": "rule:admin_api"
+    "placement:traits:show": "rule:admin_api"
+    "placement:traits:update": "rule:admin_api"
+    "placement:traits:delete": "rule:admin_api"
+    "placement:resource_providers:traits:list": "rule:admin_api"
+    "placement:resource_providers:traits:update": "rule:admin_api"
+    "placement:resource_providers:traits:delete": "rule:admin_api"
+    "placement:allocations:manage": "rule:admin_api"
+    "placement:allocations:list": "rule:admin_api"
+    "placement:allocations:update": "rule:admin_api"
+    "placement:allocations:delete": "rule:admin_api"
+    "placement:resource_providers:allocations:list": "rule:admin_api"
+    "placement:allocation_candidates:list": "rule:admin_api"
+    "placement:reshaper:reshape": "rule:admin_api"
+  placement:
+    DEFAULT:
+      debug: false
+      use_syslog: false
+      log_config_append: /etc/placement/logging.conf
+    placement_database:
+      connection: null
+    keystone_authtoken:
+      auth_version: v3
+      auth_type: password
+      memcache_security_strategy: ENCRYPT
+  logging:
+    loggers:
+      keys:
+        - root
+        - placement
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_placement:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: placement
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+  wsgi_placement: |
+    Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
+    <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+        WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
+        WSGIProcessGroup placement-api
+        WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        ErrorLog /dev/stdout
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+    </VirtualHost>
+    Alias /placement /var/www/cgi-bin/placement/placement-api
+    <Location /placement>
+        SetHandler wsgi-script
+        Options +ExecCGI
+        WSGIProcessGroup placement-api
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+    </Location>
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      placement:
+        username: placement
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
+      placement:
+        username: placement
+        password: password
+      # NOTE: This should be the username/password used to access the nova_api
+      # database. This is required only if database migration from nova to
+      # placement is desired.
+      nova_api:
+        username: nova
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /placement
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      placement:
+        role: admin
+        region_name: RegionOne
+        username: placement
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  placement:
+    name: placement
+    hosts:
+      default: placement-api
+      public: placement
+    host_fqdn_override:
+      default: null
+    path:
+      default: /
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8778
+        public: 80
+
+pod:
+  security_context:
+    placement:
+      pod:
+        runAsUser: 42424
+      container:
+        placement_api:
+          readOnlyRootFilesystem: false
+          runAsUser: 0
+        placement_mysql_migration:
+          readOnlyRootFilesystem: false
+          runAsUser: 0
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  tolerations:
+    placement:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+  mounts:
+    placement:
+      init_container: null
+      placement:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_migrate:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+secrets:
+  identity:
+    admin: placement-keystone-admin
+    placement: placement-keystone-user
+  oslo_db:
+    admin: placement-db-admin
+    placement: placement-db-user
+  tls:
+    placement:
+      api:
+        public: placement-tls-public
+        internal: placement-tls-api
+  oci_image_registry:
+    placement: placement-oci-image-registry
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs:
+        - placement-db-sync
+        - placement-ks-service
+        - placement-ks-user
+        - placement-ks-endpoints
+    ks_endpoints:
+      jobs:
+        - placement-ks-user
+        - placement-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_migrate:
+      jobs:
+        - placement-db-init
+        - nova-db-sync
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - placement-db-init
+        # NOTE: This needs to be enabled if placement migration is required.
+        # - placement-db-migrate
+      services:
+        - endpoint: internal
+          service: oslo_db
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  configmap_etc: true
+  deployment: true
+  job_image_repo_sync: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_db_migrate: false
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  network_policy: false
+  secret_db: true
+  secret_ingress_tls: true
+  secret_registry: true
+  pdb: true
+  ingress: true
+  secret_keystone: true
+  service_ingress: true
+  service: true
+...
diff --git a/charts/placement/values_overrides/apparmor.yaml b/charts/placement/values_overrides/apparmor.yaml
new file mode 100644
index 0000000..84ca750
--- /dev/null
+++ b/charts/placement/values_overrides/apparmor.yaml
@@ -0,0 +1,14 @@
+---
+pod:
+  mandatory_access_control:
+    type: apparmor
+    placement-api:
+      placement-api: runtime/default
+      init: runtime/default
+    placement-db-migrate:
+      init: runtime/default
+      placement-mysql-migration: runtime/default
+
+manifests:
+  job_db_migrate: true
+...
diff --git a/charts/placement/values_overrides/netpol.yaml b/charts/placement/values_overrides/netpol.yaml
new file mode 100644
index 0000000..84557be
--- /dev/null
+++ b/charts/placement/values_overrides/netpol.yaml
@@ -0,0 +1,20 @@
+---
+manifests:
+  network_policy: true
+network_policy:
+  placement:
+    egress:
+      - {}
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: nova
+        ports:
+        - protocol: TCP
+          port: 8778
+        - protocol: TCP
+          port: 80
+        - protocol: TCP
+          port: 8080
+...
diff --git a/charts/placement/values_overrides/tls.yaml b/charts/placement/values_overrides/tls.yaml
new file mode 100644
index 0000000..adfd359
--- /dev/null
+++ b/charts/placement/values_overrides/tls.yaml
@@ -0,0 +1,79 @@
+---
+network:
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/backend-protocol: "https"
+conf:
+  software:
+    apache2:
+      a2enmod:
+        - ssl
+  placement:
+    keystone_authtoken:
+      cafile: /etc/placement/certs/ca.crt
+  wsgi_placement: |
+    Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
+    <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+      ServerName {{ printf "%s.%s.svc.%s" "placement-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+      WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
+      WSGIProcessGroup placement-api
+      WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
+      WSGIApplicationGroup %{GLOBAL}
+      WSGIPassAuthorization On
+      <IfVersion >= 2.4>
+        ErrorLogFormat "%{cu}t %M"
+      </IfVersion>
+      ErrorLog /dev/stdout
+      SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+      CustomLog /dev/stdout combined env=!forwarded
+      CustomLog /dev/stdout proxy env=forwarded
+
+      SSLEngine on
+      SSLCertificateFile      /etc/placement/certs/tls.crt
+      SSLCertificateKeyFile   /etc/placement/certs/tls.key
+      SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+      SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+      SSLHonorCipherOrder     on
+    </VirtualHost>
+    Alias /placement /var/www/cgi-bin/placement/placement-api
+    <Location /placement>
+      SetHandler wsgi-script
+      Options +ExecCGI
+      WSGIProcessGroup placement-api
+      WSGIApplicationGroup %{GLOBAL}
+      WSGIPassAuthorization On
+    </Location>
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      placement:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+    scheme:
+      default: https
+    port:
+      api:
+        default: 443
+  placement:
+    host_fqdn_override:
+      default:
+        tls:
+          secretName: placement-tls-api
+          issuerRef:
+            name: ca-issuer
+            kind: ClusterIssuer
+    scheme:
+      default: https
+    port:
+      api:
+        public: 443
+manifests:
+  certificates: true
+...
diff --git a/charts/placement/values_overrides/train-ubuntu_bionic.yaml b/charts/placement/values_overrides/train-ubuntu_bionic.yaml
new file mode 100644
index 0000000..d721085
--- /dev/null
+++ b/charts/placement/values_overrides/train-ubuntu_bionic.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  pull_policy: IfNotPresent
+  tags:
+    placement: "docker.io/openstackhelm/placement:train-ubuntu_bionic"
+    ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+    ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+    ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+    db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+    db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+    placement_db_sync: "docker.io/openstackhelm/placement:train-ubuntu_bionic"
+    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+  job_db_migrate: true
+dependencies:
+  static:
+    db_sync:
+      jobs:
+        - placement-db-init
+        - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml b/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml
new file mode 100644
index 0000000..6f19c55
--- /dev/null
+++ b/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  pull_policy: IfNotPresent
+  tags:
+    placement: "docker.io/openstackhelm/placement:ussuri-ubuntu_bionic"
+    ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+    ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+    ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+    db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+    db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+    placement_db_sync: "docker.io/openstackhelm/placement:ussuri-ubuntu_bionic"
+    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+  job_db_migrate: true
+dependencies:
+  static:
+    db_sync:
+      jobs:
+        - placement-db-init
+        - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/victoria-ubuntu_focal.yaml b/charts/placement/values_overrides/victoria-ubuntu_focal.yaml
new file mode 100644
index 0000000..1c94633
--- /dev/null
+++ b/charts/placement/values_overrides/victoria-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  pull_policy: IfNotPresent
+  tags:
+    placement: "docker.io/openstackhelm/placement:victoria-ubuntu_focal"
+    ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+    ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+    ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+    db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+    db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+    placement_db_sync: "docker.io/openstackhelm/placement:victoria-ubuntu_focal"
+    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+  job_db_migrate: true
+dependencies:
+  static:
+    db_sync:
+      jobs:
+        - placement-db-init
+        - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml b/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml
new file mode 100644
index 0000000..9122f5b
--- /dev/null
+++ b/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  pull_policy: IfNotPresent
+  tags:
+    placement: "docker.io/openstackhelm/placement:wallaby-ubuntu_focal"
+    ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+    ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+    ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+    db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+    db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+    placement_db_sync: "docker.io/openstackhelm/placement:wallaby-ubuntu_focal"
+    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+  job_db_migrate: true
+dependencies:
+  static:
+    db_sync:
+      jobs:
+        - placement-db-init
+        - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/xena-ubuntu_focal.yaml b/charts/placement/values_overrides/xena-ubuntu_focal.yaml
new file mode 100644
index 0000000..c8355d9
--- /dev/null
+++ b/charts/placement/values_overrides/xena-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  pull_policy: IfNotPresent
+  tags:
+    placement: "docker.io/openstackhelm/placement:xena-ubuntu_focal"
+    ks_user: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+    ks_service: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+    ks_endpoints: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+    db_init: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+    db_drop: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+    placement_db_sync: "docker.io/openstackhelm/placement:xena-ubuntu_focal"
+    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+  job_db_migrate: true
+dependencies:
+  static:
+    db_sync:
+      jobs:
+        - placement-db-init
+        - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/yoga-ubuntu_focal.yaml b/charts/placement/values_overrides/yoga-ubuntu_focal.yaml
new file mode 100644
index 0000000..b508709
--- /dev/null
+++ b/charts/placement/values_overrides/yoga-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+  pull_policy: IfNotPresent
+  tags:
+    placement: "docker.io/openstackhelm/placement:yoga-ubuntu_focal"
+    ks_user: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+    ks_service: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+    ks_endpoints: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+    db_init: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+    db_drop: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+    placement_db_sync: "docker.io/openstackhelm/placement:yoga-ubuntu_focal"
+    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+  job_db_migrate: true
+dependencies:
+  static:
+    db_sync:
+      jobs:
+        - placement-db-init
+        - placement-db-migrate
+...
diff --git a/charts/senlin/Chart.yaml b/charts/senlin/Chart.yaml
new file mode 100644
index 0000000..e1614ff
--- /dev/null
+++ b/charts/senlin/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Senlin
+home: https://docs.openstack.org/senlin/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Senlin/OpenStack_Project_Senlin_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: senlin
+sources:
+- https://opendev.org/openstack/senlin
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.6
diff --git a/charts/senlin/charts/helm-toolkit/Chart.yaml b/charts/senlin/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..d90280e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.44
diff --git a/charts/senlin/charts/helm-toolkit/requirements.yaml b/charts/senlin/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves database, or basic auth, style endpoints
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      auth:
+        admin:
+          username: root
+          password: password
+        service_username:
+          username: username
+          password: password
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves endpoint string suitible for use with oslo.messaging transport url
+  See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset: null
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: null
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_messaging:
+          auth:
+            cinder:
+              username: cinder
+              password: password
+          statefulset:
+            replicas: 2
+            name: rabbitmq-rabbitmq
+          hosts:
+            default: rabbitmq
+          host_fqdn_override:
+            default: rabbitmq.openstackhelm.org
+          path: /cinder
+          scheme: rabbit
+          port:
+            amqp:
+              default: 5672
+    usage: |
+      {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+    return: |
+      rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{-   $type := index . 0 -}}
+{{-   $endpoint := index . 1 -}}
+{{-   $userclass := index . 2 -}}
+{{-   $port := index . 3 -}}
+{{-   $context := index . 4 -}}
+{{-   $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{-   $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{-   $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{-   $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{-   $endpointUser := index $userMap "username" }}
+{{-   $endpointPass := index $userMap "password" }}
+{{-   $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-   $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{-   $local := dict "endpointCredsAndHosts" list -}}
+{{-   if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{-     $endpointHostPrefix := $ssMap.name }}
+{{-     range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{-       $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{-       $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-     end }}
+{{-   else }}
+{{-     $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{-     $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{-     $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{-   end }}
+{{-   $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{-   $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{-   printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves either the fully qualified hostname, of if defined in the host field
+  IPv4 for an endpoint.
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default:
+             host: 127.0.0.1
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+    return: |
+      127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the port for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+  3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Gets the token for an endpoint
+values: |
+  endpoints:
+    keystone:
+      auth:
+        admin:
+          token: zh78JzXgw6YUKy2e
+usage: |
+  {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+  zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves 'hostname:port' for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local:3306
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: 127.0.0.1
+          host_fqdn_override:
+            default: null
+          port:
+            mysql:
+              default: 3306
+    usage: |
+      {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+    return: |
+      127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the fully qualified hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.default.svc.cluster.local
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default:
+              host: mariadb.openstackhelm.openstack.org
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+    return: |
+      mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+  mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the namespace scoped hostname for an endpoint
+values: |
+  endpoints:
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+  default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the short hostname for an endpoint
+examples:
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+  - values: |
+      endpoints:
+        oslo_db:
+          hosts:
+            default:
+              host: mariadb
+          host_fqdn_override:
+            default: null
+    usage: |
+      {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    return: |
+      mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves the service name for an service type
+values: |
+  endpoints:
+    identity:
+      name: keystone
+usage: |
+  {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+  "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the path for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      path:
+       default: /dbname
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+  /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+  Resolves the scheme for an endpoint
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      scheme:
+        default:
+          mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+  mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint.  In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function helps resolve uri style endpoints. It will omit the port for
+  http when 80 is used, and 443 in the case of https.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+      path: /dbname
+      scheme: mysql+pymysql
+      port:
+        mysql:
+          default: 3306
+usage: |
+  {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+  mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  This function returns endpoint "<namespace>:<name>" pair from an endpoint
+  definition. This is used in kubernetes-entrypoint to support dependencies
+  between different services in different namespaces.
+  returns: the endpoint namespace and the service name, delimited by a colon
+
+  Normally, the service name is constructed dynamically from the hostname
+  however when an ip address is used as the hostname, we default to
+  namespace:endpointCategoryName in order to construct a valid service name
+  however this can be overridden to a custom service name by defining
+  .service.name within the endpoint definition
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: null
+usage: |
+  {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+  foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for kubernete ceph storageclass
+examples:
+  - values: |
+      manifests:
+        storageclass: true
+      storageclass:
+        rbd:
+          provision_storage_class: true
+          provisioner: "ceph.com/rbd"
+          metadata:
+            default_storage_class: true
+            name: general
+          parameters:
+            #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+            pool: rbd
+            admin_id: admin
+            ceph_configmap_name: "ceph-etc"
+            admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+            admin_secret_namespace: ceph
+            user_id: admin
+            user_secret_name: "pvc-ceph-client-key"
+            image_format: "2"
+            image_features: layering
+        cephfs:
+          provision_storage_class: true
+          provisioner: "ceph.com/cephfs"
+          metadata:
+            name: cephfs
+          parameters:
+            admin_id: admin
+            admin_secret_name: "pvc-ceph-cephfs-client-key"
+            admin_secret_namespace: ceph
+    usage: |
+      {{- range $storageclass, $val := .Values.storageclass }}
+      {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+      {{- end }}
+    return: |
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        annotations:
+          storageclass.kubernetes.io/is-default-class: "true"
+        name: general
+      provisioner: ceph.com/rbd
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-conf-combined-storageclass
+        adminSecretNamespace: ceph
+        pool: rbd
+        userId: admin
+        userSecretName: pvc-ceph-client-key
+        image_format: "2"
+        image_features: layering
+      ---
+      apiVersion: storage.k8s.io/v1
+      kind: StorageClass
+      metadata:
+        name: cephfs
+      provisioner: ceph.com/cephfs
+      parameters:
+        monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+        adminId: admin
+        adminSecretName: pvc-ceph-cephfs-client-key
+        adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+  name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+  monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+  {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  privateKey:
+                    size: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        privateKey:
+          size: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..7846895
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services ingress rules.
+examples:
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public: barbican
+          host_fqdn_override:
+            default: null
+            public:
+              host: barbican.openstackhelm.example
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican.openstackhelm.example
+        rules:
+          - host: barbican.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: barbican-tls-public
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  - values: |
+      cert_issuer_type: issuer
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/issuer: ca-issuer
+          certmanager.k8s.io/issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+
+  - values: |
+      network:
+        api:
+          ingress:
+            public: true
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/secure-backends: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "https"
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+              internal: barbican-tls-api
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        key_manager:
+          name: barbican
+          hosts:
+            default: barbican-api
+            public:
+              host: barbican
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+          host_fqdn_override:
+            default: null
+          path:
+            default: /
+          scheme:
+            default: http
+            public: https
+          port:
+            api:
+              default: 9311
+              public: 80
+          certs:
+            barbican_tls_api:
+              secretName: barbican-tls-api
+              issuerRef:
+                name: ca-issuer
+                kind: ClusterIssuer
+    usage: |
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: barbican
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          cert-manager.io/cluster-issuer: ca-issuer
+          certmanager.k8s.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/backend-protocol: https
+          nginx.ingress.kubernetes.io/secure-backends: "true"
+      spec:
+        tls:
+          - secretName: barbican-tls-public-certmanager
+            hosts:
+              - barbican
+              - barbican.default
+              - barbican.default.svc.cluster.local
+        rules:
+          - host: barbican
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+          - host: barbican.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: barbican-api
+                      port:
+                        name: b-api
+  # Sample usage for multiple DNS names associated with the same public
+  # endpoint and certificate
+  - values: |
+      endpoints:
+        cluster_domain_suffix: cluster.local
+        grafana:
+          name: grafana
+          hosts:
+            default: grafana-dashboard
+            public: grafana
+          host_fqdn_override:
+            public:
+              host: grafana.openstackhelm.example
+              tls:
+                dnsNames:
+                  - grafana-alt.openstackhelm.example
+                crt: "BASE64 ENCODED CERT"
+                key: "BASE64 ENCODED KEY"
+      network:
+        grafana:
+          ingress:
+            classes:
+              namespace: "nginx"
+              cluster: "nginx-cluster"
+            annotations:
+              nginx.ingress.kubernetes.io/rewrite-target: /
+      secrets:
+        tls:
+          grafana:
+            grafana:
+              public: grafana-tls-public
+    usage: |
+      {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+      {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+    return: |
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        rules:
+          - host: grafana
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana.default.svc.cluster.local
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-namespace-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: grafana-cluster-fqdn
+        annotations:
+          kubernetes.io/ingress.class: "nginx-cluster"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+
+      spec:
+        tls:
+          - secretName: grafana-tls-public
+            hosts:
+              - grafana.openstackhelm.example
+              - grafana-alt.openstackhelm.example
+        rules:
+          - host: grafana.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+          - host: grafana-alt.openstackhelm.example
+            http:
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+                  backend:
+                    service:
+                      name: grafana-dashboard
+                      port:
+                        name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+  http:
+    paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $backendName }}
+            port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+              number: {{ $backendPort | int }}
+{{- else }}
+              name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $ingressName }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+    cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+    certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+    cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ printf "%s-ing" $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+  annotations:
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+  tls:
+    - secretName: {{ $secretName }}
+      hosts:
+{{- range $vHost := $vHosts }}
+        - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+  rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: bootstrap
+          image: {{ $envAll.Values.images.tags.bootstrap }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+          env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $configFile | quote }}
+            - name: bootstrap-conf
+              mountPath: {{ $configFile | quote }}
+              subPath: {{ base $configFile | quote }}
+              readOnly: true
+            - name: bootstrap-conf
+              mountPath: {{ $logConfigFile | quote }}
+              subPath: {{ base $logConfigFile | quote }}
+              readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: bootstrap-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_drop }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToDrop.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToDrop.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToDrop.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+          command:
+            - /tmp/db-drop.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-drop-sh
+              mountPath: /tmp/db-drop.py
+              subPath: db-drop.py
+              readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToDrop.configFile | quote }}
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.configFile | quote }}
+              subPath: {{ base $dbToDrop.configFile | quote }}
+              readOnly: true
+            - name: db-drop-conf
+              mountPath: {{ $dbToDrop.logConfigFile | quote }}
+              subPath: {{ base $dbToDrop.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-drop-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-drop-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+        - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+          image: {{ $envAll.Values.images.tags.db_init }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: ROOT_DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.adminSecret | quote }}
+                  key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+            - name: OPENSTACK_CONFIG_FILE
+              value: {{ $dbToInit.configFile | quote }}
+            - name: OPENSTACK_CONFIG_DB_SECTION
+              value: {{ $dbToInit.configDbSection | quote }}
+            - name: OPENSTACK_CONFIG_DB_KEY
+              value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+            - name: DB_CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $dbToInit.userSecret | quote }}
+                  key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
+          command:
+            - /tmp/db-init.py
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-init-sh
+              mountPath: /tmp/db-init.py
+              subPath: db-init.py
+              readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+            - name: etc-service
+              mountPath: {{ dir $dbToInit.configFile | quote }}
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.configFile | quote }}
+              subPath: {{ base $dbToInit.configFile | quote }}
+              readOnly: true
+            - name: db-init-conf
+              mountPath: {{ $dbToInit.logConfigFile | quote }}
+              subPath: {{ base $dbToInit.logConfigFile | quote }}
+              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-init-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+          image: {{ $dbToSync.image | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+          env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/db-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: db-sync-sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
+              readOnly: true
+            - name: etc-service
+              mountPath: {{ dir $dbToSync.configFile | quote }}
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.configFile | quote }}
+              subPath: {{ base $dbToSync.configFile | quote }}
+              readOnly: true
+            - name: db-sync-conf
+              mountPath: {{ $dbToSync.logConfigFile | quote }}
+              subPath: {{ base $dbToSync.logConfigFile | quote }}
+              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: db-sync-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etc-service
+          emptyDir: {}
+        - name: db-sync-conf
+          secret:
+            secretName: {{ $configMapEtc | quote }}
+            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+        - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+          image: {{ $envAll.Values.images.tags.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: {{ $restartPolicy }}
+      {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ $envAll.Values.images.tags.ks_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_SERVICE_NAME
+              value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: rabbit-init
+          image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/rabbit-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: rabbit-init-sh
+              mountPath: /tmp/rabbit-init.sh
+              subPath: rabbit-init.sh
+              readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+          env:
+          - name: RABBITMQ_ADMIN_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+                key: RABBITMQ_CONNECTION
+          - name: RABBITMQ_USER_CONNECTION
+            valueFrom:
+              secretKeyRef:
+                name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+                key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+          - name: RABBITMQ_AUXILIARY_CONFIGURATION
+            value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: rabbit-init-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: s3-bucket
+          image: {{ $envAll.Values.images.tags.s3_bucket }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-bucket.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: s3-bucket-sh
+              mountPath: /tmp/create-s3-bucket.sh
+              subPath: create-s3-bucket.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+            - name: {{ $tlsCertificateSecret }}
+              mountPath: {{ $tlsCertificatePath }}
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: s3-bucket-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+        - name: {{ $tlsCertificateSecret }}
+          secret:
+            secretName: {{ $tlsCertificateSecret }}
+            defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName | quote }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ceph-keyring-placement
+          image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-keyring-sh
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      containers:
+        - name: s3-user
+          image: {{ $envAll.Values.images.tags.s3_user }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/create-s3-user.sh
+          env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+            - name: RGW_HOST
+              value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: create-s3-user-sh
+              mountPath: /tmp/create-s3-user.sh
+              subPath: create-s3-user.sh
+              readOnly: true
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: create-s3-user-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: ceph-keyring-sh
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ $configMapCeph | quote }}
+            defaultMode: 0444
+        {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: pvc-ceph-client-key
+        {{ end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+  labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+  annotations:
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+  backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+  activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+      initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: bootstrap-sh
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: bootstrap-sh
+{{- if $secretBin }}
+          secret:
+            secretName: {{ $secretBin | quote }}
+            defaultMode: 0555
+{{- else }}
+          configMap:
+            name: {{ $configMapBin | quote }}
+            defaultMode: 0555
+{{- end }}
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a network policy manifest for services.
+values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
+  network_policy:
+    myLabel:
+      podSelector:
+        matchLabels:
+          component: api
+      ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        ports:
+        - protocol: TCP
+          port: 80
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+usage: |
+  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myLabel
+        component: api
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $label | replace "_" "-" }}-netpol
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+    - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+    - Ingress
+{{ end -}}
+{{- end }}
+  podSelector:
+    matchLabels:
+{{- if empty $labels }}
+      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+  ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a services public tls secret
+examples:
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                key: |
+                  FOO-KEY
+                ca: |
+                  FOO-CA_CRT
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+  - values: |
+      secrets:
+        tls:
+          key_manager:
+            api:
+              public: barbican-tls-public
+      endpoints:
+        key_manager:
+          host_fqdn_override:
+            public:
+              tls:
+                crt: |
+                  FOO-CRT
+                  FOO-INTERMEDIATE_CRT
+                  FOO-CA_CRT
+                key: |
+                  FOO-KEY
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: barbican-tls-public
+    type: kubernetes.io/tls
+    data:
+      tls.key: Rk9PLUtFWQo=
+      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: http
+      port: 80
+    - name: https
+      port: 443
+  selector:
+    app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+  clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+  CONNECTION_ARGS+=" --no-ssl"
+else
+  CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+  echo "Creating s3 user and key pair"
+  radosgw-admin user create \
+    --uid=${S3_USERNAME} \
+    --display-name=${S3_USERNAME} \
+    --key-type=s3 \
+    --access-key ${S3_ACCESS_KEY} \
+    --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+  # Retrieve old access keys, if they exist
+  old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  if [[ ! -z ${old_access_keys} ]]; then
+    for access_key in $old_access_keys; do
+      # If current access key is the same as the key supplied, do nothing.
+      if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+        echo "Current user and key pair exists."
+        continue
+      else
+        # If keys differ, remove previous key
+        radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+      fi
+    done
+  fi
+
+  # Perform one more additional check to account for scenarios where multiple
+  # key pairs existed previously, but one existing key was the supplied key
+  current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+    | jq -r '.keys[].access_key' || true)
+
+  # If the supplied key does not exist, modify the user
+  if [[ -z ${current_access_key} ]]; then
+    # Modify user with new access and secret keys
+    echo "Updating existing user's key pair"
+    radosgw-admin user modify \
+      --uid=${S3_USERNAME}\
+      --access-key ${S3_ACCESS_KEY} \
+      --secret-key ${S3_SECRET_KEY}
+  fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+  create_s3_user
+else
+  update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                        'key': '/etc/mysql/certs/tls.key',
+                        'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Delete DB
+try:
+    root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+    logger.info("Deleted database {0}".format(database))
+except:
+    logger.critical("Could not drop database {0}".format(database))
+    raise
+
+# Delete DB User
+try:
+    root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+    logger.info("Deleted user {0}".format(user))
+except:
+    logger.critical("Could not delete user {0}".format(user))
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+    import ConfigParser
+    PARSER_OPTS = {}
+except ImportError:
+    import configparser as ConfigParser
+    PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+    db_connection = os.environ['ROOT_DB_CONNECTION']
+    logger.info('Got DB root connection')
+else:
+    logger.critical('environment variable ROOT_DB_CONNECTION not set')
+    sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+                'key': '/etc/mysql/certs/tls.key',
+                'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# Root DB engine
+try:
+    root_engine_full = create_engine(db_connection)
+    root_user = root_engine_full.url.username
+    root_password = root_engine_full.url.password
+    drivername = root_engine_full.url.drivername
+    host = root_engine_full.url.host
+    port = root_engine_full.url.port
+    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    connection = root_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+        host, port, root_user))
+except:
+    logger.critical('Could not connect to database as root user')
+    raise
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    # Get our user data out of the user_engine
+    database = user_engine.url.database
+    user = user_engine.url.username
+    password = user_engine.url.password
+    logger.info('Got user db config')
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Create DB
+try:
+    root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+    logger.info("Created database {0}".format(database))
+except:
+    logger.critical("Could not create database {0}".format(database))
+    raise
+
+# Create DB User
+try:
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+            database, user, password, mysql_x509))
+    logger.info("Created user {0} for {1}".format(user, database))
+except:
+    logger.critical("Could not create user {0} for {1}".format(user, database))
+    raise
+
+# Test connection
+try:
+    connection = user_engine.connect()
+    connection.close()
+    logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+        host, port, database, user))
+except:
+    logger.critical('Could not connect to database as user')
+    raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+    echo "environment variable DB_HOST not set"
+    exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+    echo "environment variable DB_ADMIN_USER not set"
+    exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+    echo "environment variable PGPASSWORD not set"
+    exit 1
+elif [[ ! -v DB_PORT ]]; then
+    echo "environment variable DB_PORT not set"
+    exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+    echo "environment variable USER_DB_USER not set"
+    exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+    echo "environment variable USER_DB_PASS not set"
+    exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+    echo "environment variable USER_DB_NAME not set"
+    exit 1
+else
+    echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+  DB_COMMAND="$1"
+  if [[ ! -z $2 ]]; then
+      EXPORT PGDATABASE=$2
+  fi
+  /usr/bin/psql \
+  -h ${DB_HOST} \
+  -p ${DB_PORT} \
+  -U ${DB_ADMIN_USER} \
+  --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+    pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${SERVICE_OS_DOMAIN_ID}" \
+    --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+    --password="${SERVICE_OS_PASSWORD}" \
+    "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+    "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+    "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+          --domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+          --role="${SERVICE_OS_ROLE_ID}" \
+          --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+          --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                  grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                    sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list  -f csv --quote none | \
+                  grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+                  awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+  echo "More than one endpoint found, cleaning up"
+  for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+    openstack endpoint delete ${ENDPOINT_ID}
+  done
+  unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+  OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+  if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+    echo "Endpoints Match: no action required"
+    OS_ENDPOINT_UPDATE="False"
+  else
+    echo "Endpoints Dont Match: removing existing entries"
+    openstack endpoint delete ${OS_ENDPOINT_ID}
+    OS_ENDPOINT_UPDATE="True"
+  fi
+else
+  OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+  OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region="${OS_REGION_NAME}" \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+#   Unable to establish connection to
+#   https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+#   ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+  OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+                   grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+                   sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+  # If the service was found, go ahead and exit successfully.
+  if [[ -n "${OS_SERVICE_ID}" ]]; then
+    exit 0
+  fi
+
+  sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+                --name="${OS_SERVICE_NAME}" \
+                --description "${OS_SERVICE_DESC}" \
+                --enable \
+                "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+  PROJECT_DOMAIN_ID="default"
+else
+  # Manage project domain
+  PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+    "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+  USER_DOMAIN_ID="default"
+else
+  # Manage user domain
+  USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+    --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+    "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+    --domain="${PROJECT_DOMAIN_ID}" \
+    --description="${USER_PROJECT_DESC}" \
+    "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+    --domain="${USER_DOMAIN_ID}" \
+    --project-domain="${PROJECT_DOMAIN_ID}" \
+    --project="${USER_PROJECT_ID}" \
+    --description="${USER_DESC}" \
+    "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+  if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+  then
+    USER_ROLE_ID="$SERVICE_OS_ROLE"
+  else
+    USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+  fi
+
+  # Manage user role assignment
+  openstack role add \
+      --user="${USER_ID}" \
+      --user-domain="${USER_DOMAIN_ID}" \
+      --project-domain="${PROJECT_DOMAIN_ID}" \
+      --project="${USER_PROJECT_ID}" \
+      "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+    "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+  echo "Managing: vHost: ${RABBITMQ_VHOST}"
+  rabbitmqadmin_cli \
+    declare vhost \
+    name="${RABBITMQ_VHOST}"
+else
+  echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+  echo "Applying additional configuration"
+  echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+  rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+  function rally_cleanup {
+    openstack user delete \
+        --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+        "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+  }
+  trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+  revisionResults=$(rally db revision)
+  if [ $revisionResults = "None"  ]
+  then
+    rally db create
+  else
+    rally db upgrade
+  fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+    "openstack": {
+        "auth_url": "${OS_AUTH_URL}",
+        "region_name": "${OS_REGION_NAME}",
+        "endpoint_type": "${OS_INTERFACE}",
+        "admin": {
+            "username": "${OS_USERNAME}",
+            "password": "${OS_PASSWORD}",
+            "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+            "project_name": "${OS_PROJECT_NAME}",
+            "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+        },
+        "users": [
+            {
+                "username": "${SERVICE_OS_USERNAME}",
+                "password": "${SERVICE_OS_PASSWORD}",
+                "project_name": "${SERVICE_OS_PROJECT_NAME}",
+                "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+                "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+            }
+        ],
+        "https_insecure": false,
+        "https_cacert": "${OS_CACERT}"
+    }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+#   backup_databases [scope]
+#       [scope] is an optional parameter, defaulted to "all". If only one specific
+#               database is required to be backed up then this parameter will
+#               contain the name of the database; otherwise all are backed up.
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE          Namespace where the database(s) reside
+#         export DB_NAME               Name of the database system
+#         export LOCAL_DAYS_TO_KEEP    Number of days to keep the local backups
+#         export REMOTE_DAYS_TO_KEEP   Number of days to keep the remote backups
+#         export ARCHIVE_DIR           Local location where the backup tarballs should
+#                                      be stored. (full directory path)
+#         export BACK_UP_MODE          Determines the mode of backup taken.
+#         export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+#                                      otherwise
+#         export CONTAINER_NAME        Name of the container on the RGW to store
+#                                      the backup tarball.
+#         export STORAGE_POLICY        Name of the storage policy defined on the
+#                                      RGW which is intended to store backups.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+#           export REMOTE_BACKUP_RETRIES   Number of retries to send backup to remote
+#                                          in case of any temporary failures.
+#           export MIN_DELAY_SEND_REMOTE   Minimum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW
+#           export MAX_DELAY_SEND_REMOTE   Maximum seconds to delay before sending backup
+#                                          to remote to stagger backups being sent to RGW.
+#                                          A random number between min and max delay is generated
+#                                          to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+#   dump_databases_to_directory <directory> <err_logfile> [scope]
+#       where:
+#         <directory>   is the full directory path to dump the database files
+#                       into. This is a temporary directory for this backup only.
+#         <err_logfile> is the full directory path where error logs are to be
+#                       written by the application.
+#         [scope]       set to "all" if all databases are to be backed up; or
+#                       set to the name of a specific database to be backed up.
+#                       This optional parameter is defaulted to "all".
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to dump the database file(s) to the specified
+#       directory path. If this function completes successfully (returns 0), the
+#       framework will automatically tar/zip the files in that directory and
+#       name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+#   1) Calling "dump_databases_to_directory" and then compressing the files,
+#      naming the tarball properly, and then storing it locally at the specified
+#      local directory.
+#   2) Sending the tarball built to the remote gateway, to be stored in the
+#      container configured to store database backups.
+#   3) Removing local backup tarballs which are older than the number of days
+#      specified by the "LOCAL_DAYS_TO_KEEP" variable.
+#   4) Removing remote backup tarballs (from the remote gateway) which are older
+#      than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+log() {
+  #Log message to a file or stdout
+  #TODO: This can be convert into mail alert of alert send to a monitoring system
+  #Params: $1 log level
+  #Params: $2 service
+  #Params: $3 message
+  #Params: $4 Destination
+  LEVEL=$1
+  SERVICE=$2
+  MSG=$3
+  DEST=$4
+  DATE=$(date +"%m-%d-%y %H:%M:%S")
+  if [[ -z "$DEST" ]]; then
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+  else
+    echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+  fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+  diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+  echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+  ARCHIVE_DATE=$( date --date="$1" +%s )
+  if [[ $? -ne 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  CURRENT_DATE=$( date +%s )
+  SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+  if [[ "$SECOND_DELTA" -lt 0 ]]; then
+    SECOND_DELTA=0
+  fi
+  echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+  FILEPATH=$1
+  FILE=$2
+
+  # Grab the list of containers on the remote site
+  RESULT=$(openstack container list 2>&1)
+
+  if [[ $? -eq 0 ]]; then
+    echo $RESULT | grep $CONTAINER_NAME
+    if [[ $? -ne 0 ]]; then
+      # Find the swift URL from the keystone endpoint list
+      SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+        return 2
+      fi
+
+      # Get a token from keystone
+      TOKEN=$(openstack token issue -f value -c id)
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to get  keystone token."
+        return 2
+      fi
+
+      # Create the container
+      RES_FILE=$(mktemp -p /tmp)
+      curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+           -H "X-Auth-Token: ${TOKEN}" \
+           -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+      if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+        cat $RES_FILE
+        rm -f $RES_FILE
+        return 2
+      fi
+      rm -f $RES_FILE
+
+      swift stat $CONTAINER_NAME
+      if [[ $? -ne 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+        return 2
+      fi
+    fi
+  else
+    echo $RESULT | grep -E "HTTP 401|HTTP 403"
+    if [[ $? -eq 0 ]]; then
+      log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+      return 1
+    else
+      echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+      if [[ $? -eq 0 ]]; then
+        log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+        # In this case, keystone or the site/node may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+        return 1
+      fi
+    fi
+  fi
+
+  # Create an object to store the file
+  openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+    return 2
+  fi
+  openstack object show $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+    return 2
+  fi
+
+  log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+  return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+#   1) Network connectivity issues - retries for a specific amount of time
+#   2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+  FILEPATH=$1
+  FILE=$2
+
+  count=1
+  while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+    # Store the new archive to the remote backup storage facility.
+    send_to_remote_server $FILEPATH $FILE
+    SEND_RESULT="$?"
+
+    # Check if successful
+    if [[ $SEND_RESULT -eq 0 ]]; then
+      log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+      return 0
+    elif [[ $SEND_RESULT -eq 2 ]]; then
+      if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+        log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+        "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+        break
+      fi
+      # Temporary failure occurred. We need to retry
+      log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+      sleep_time=$(random_number)
+      log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+      sleep ${sleep_time}
+      log INFO "${DB_NAME}_backup" "Retrying..."
+    else
+      log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+      break
+    fi
+
+    # Increment the counter
+    count=$((count+1))
+  done
+
+  return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz"                                                     |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz"                                                   |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+  for ARCHIVE_FILE in ${fileList}; do
+    # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+    # to take in account a possibility, that we can have more than one scheduled
+    # backup per day.
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
+    else
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+    fi
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
+remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  if [[ -d $ARCHIVE_DIR ]]; then
+    count=0
+    # We iterate over the hash table, checking the delta in seconds (hash keys),
+    # and minimum number of backups we must have in place. List of keys has to be sorted.
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+        ((count++))
+        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+      else
+        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+          rm -f ${ARCHIVE_FILE}
+          if [[ $? -ne 0 ]]; then
+            # Log error but don't exit so we can finish the script
+            # because at this point we haven't sent backup to RGW yet
+            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+          fi
+      fi
+    done
+  else
+    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+  fi
+}
+
+prepare_list_of_remote_backups() {
+  BACKUP_FILES=$(mktemp -p /tmp)
+  DB_BACKUP_FILES=$(mktemp -p /tmp)
+  openstack object list $CONTAINER_NAME > $BACKUP_FILES
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+  fi
+  # Filter out other types of backup files
+  cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+  count=0
+  SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+      ((count++))
+      log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+    else
+      log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+    fi
+  done
+
+  # Cleanup now that we're done.
+  for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+    if [[ -f fd ]]; then
+      rm -f fd
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+#  1) The directory where the final backup will be kept after it is compressed.
+#  2) A temporary directory to use for placing database files to be compressed.
+#     Note: this temp directory will be deleted after backup is done.
+#  3) Optional "scope" parameter indicating what database to back up. Defaults
+#     to "all".
+backup_databases() {
+  SCOPE=${1:-"all"}
+
+  # Create necessary directories if they do not exist.
+  mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+  export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+  # Create temporary log file
+  export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+  # It is expected that this function will dump the database files to the $TMP_DIR
+  dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+  # If successful, there should be at least one file in the TMP_DIR
+  if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+    cat $ERR_LOG_FILE
+    log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+  fi
+
+  log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+  NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+  if [[ -z "${BACK_UP_MODE}" ]]; then
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+  else
+    TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+  fi
+
+  cd $TMP_DIR || log_backup_error_exit \
+    "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+  #Archive the current database files
+  tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+  if [[ $? -ne 0 ]]; then
+    log_backup_error_exit \
+      "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+  fi
+
+  # Get the size of the file
+  ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+  log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+  cd $ARCHIVE_DIR
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+  if $REMOTE_BACKUP; then
+    # Remove Quotes from the constants which were added due to reading
+    # from secret.
+    export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+    export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+    export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+    export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+    store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+    if [[ $? -ne 0 ]]; then
+      # This error should print first, then print the summary as the last
+      # thing that the user sees in the output.
+      log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+      echo "=================================================================="
+      echo "Local backup successful, but could not send to remote RGW."
+      echo "Backup archive name: $TARBALL_FILE"
+      echo "Backup archive size: $ARCHIVE_SIZE"
+      echo "=================================================================="
+      # Because the local backup was successful, exit with 0 so the pod will not
+      # continue to restart and fill the disk with more backups. The ERRORs are
+      # logged and alerting system should catch those errors and flag the operator.
+      exit 0
+    fi
+
+    #Only delete the old archive after a successful archive
+    if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+      prepare_list_of_remote_backups
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
+    fi
+
+    echo "=================================================================="
+    echo "Local backup and backup to remote RGW successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  else
+    # Remote backup is not enabled. This is ok; at least we have a local backup.
+    log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+    echo "=================================================================="
+    echo "Local backup successful!"
+    echo "Backup archive name: $TARBALL_FILE"
+    echo "Backup archive size: $ARCHIVE_SIZE"
+    echo "=================================================================="
+  fi
+}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+#   source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+#   cli_main <arg_list>
+#       where:
+#         <arg_list>    is the list of arguments given by the user
+#
+#       The framework will require the following variables to be exported:
+#
+#         export DB_NAMESPACE        Namespace where the database(s) reside
+#         export DB_NAME             Name of the database system
+#         export ARCHIVE_DIR         Location where the backup tarballs should
+#                                    be stored. (full directory path which
+#                                    should already exist)
+#         export CONTAINER_NAME      Name of the container on the RGW where
+#                                    the backups are stored.
+#         RGW access variables:
+#           export OS_REGION_NAME          Name of the region the RGW resides in
+#           export OS_AUTH_URL             Keystone URL associated with the RGW
+#           export OS_PROJECT_NAME         Name of the project associated with the
+#                                          keystone user
+#           export OS_USERNAME             Name of the keystone user
+#           export OS_PASSWORD             Password of the keystone user
+#           export OS_USER_DOMAIN_NAME     Keystone domain the project belongs to
+#           export OS_PROJECT_DOMAIN_NAME  Keystone domain the user belongs to
+#           export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+#   get_databases
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <db_file>     is the full path of the file to write the database
+#                       names into, one database per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the database names from the
+#       uncompressed database files found in the given "tmp_dir", which is
+#       the staging directory for database restore. The database names
+#       should be written to the given "db_file", one database name per
+#       line.
+#
+#   get_tables
+#         <db_name>     is the name of the database to get the tables from
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <table_file>  is the full path of the file to write the table
+#                       names into, one table per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the table names from the given
+#       database, found in the uncompressed database files located in the
+#       given "tmp_dir", which is the staging directory for database restore.
+#       The table names should be written to the given "table_file", one
+#       table name per line.
+#
+#   get_rows
+#         <table_name>  is the name of the table to get the rows from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <rows_file>   is the full path of the file to write the table
+#                       row data into, one row (INSERT statement) per line
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the rows from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table rows should be written to the given
+#       "rows_file", one row (INSERT statement) per line.
+#
+#   get_schema
+#         <table_name>  is the name of the table to get the schema from
+#         <db_name>     is the name of the database the table resides in
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#         <schema_file> is the full path of the file to write the table
+#                       schema data into
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to extract the schema from the given table
+#       in the given database, found in the uncompressed database files
+#       located in the given "tmp_dir", which is the staging directory for
+#       database restore. The table schema and related alterations and
+#       grant information should be written to the given "schema_file".
+#
+#   restore_single_db
+#       where:
+#         <db_name>     is the name of the database to be restored
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore the database given as "db_name"
+#       using the database files located in the "tmp_dir". The framework
+#       will delete the "tmp_dir" and the files in it after the restore is
+#       complete.
+#
+#   restore_all_dbs
+#       where:
+#         <tmp_dir>     is the full directory path where the decompressed
+#                       database files reside
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to restore all of the databases which
+#       are backed up in the database files located in the "tmp_dir". The
+#       framework will delete the "tmp_dir" and the files in it after the
+#       restore is complete.
+#
+# The functions in this file will take care of:
+#   1) The CLI parameter parsing for the arguments passed in by the user.
+#   2) The listing of either local or remote archive files at the request
+#      of the user.
+#   3) The retrieval/download of an archive file located either in the local
+#      file system or remotely stored on an RGW.
+#   4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+#      chooses to restore a database or all databases.
+#   5) The framework will call "get_databases" when it needs a list of
+#      databases when the user requests a database list or when the user
+#      requests to restore a single database (to ensure it exists in the
+#      archive). Similarly, the framework will call "get_tables", "get_rows",
+#      or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+  ret_val=$1
+  echo "Usage:"
+  echo "Restore command options"
+  echo "============================="
+  echo "help"
+  echo "list_archives [remote]"
+  echo "list_databases <archive_filename> [remote]"
+  echo "list_tables <archive_filename> <dbname> [remote]"
+  echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+  echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+  echo "restore <archive_filename> <db_specifier> [remote]"
+  echo "        where <db_specifier> = <dbname> | ALL"
+  echo "delete_archive <archive_filename> [remote]"
+  clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+  RETCODE=$1
+  MSG=$2
+
+  # Clean/remove temporary directories/files
+  rm -rf $TMP_DIR
+  rm -f $RESULT_FILE
+
+  if [[ "x${MSG}" != "x" ]]; then
+    echo $MSG
+  fi
+  exit $RETCODE
+}
+
+determine_resulting_error_code() {
+  RESULT="$1"
+
+  echo ${RESULT} | grep "HTTP 404"
+  if [[ $? -eq 0 ]]; then
+    echo "Could not find the archive: ${RESULT}"
+    return 1
+  else
+    echo ${RESULT} | grep "HTTP 401"
+    if [[ $? -eq 0 ]]; then
+      echo "Could not access the archive: ${RESULT}"
+      return 1
+    else
+      echo ${RESULT} | grep "HTTP 503"
+      if [[ $? -eq 0 ]]; then
+        echo "RGW service is unavailable. ${RESULT}"
+        # In this case, the RGW may be temporarily down.
+        # Return slightly different error code so the calling code can retry
+        return 2
+      else
+        echo ${RESULT} | grep "ConnectionError"
+        if [[ $? -eq 0 ]]; then
+          echo "Could not reach the RGW: ${RESULT}"
+          # In this case, keystone or the site/node may be temporarily down.
+          # Return slightly different error code so the calling code can retry
+          return 2
+        else
+          echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+          return 1
+        fi
+      fi
+    fi
+  fi
+  return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+  RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+  if [[ $? -eq 0 ]]; then
+    # Get the list, ensureing that we only pick up the right kind of backups from the
+    # requested namespace
+    openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+    if [[ $? -ne 0 ]]; then
+      echo "Container object listing could not be obtained."
+      return 1
+    else
+      echo "Archive listing successfully retrieved."
+    fi
+  else
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  fi
+  return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive $ARCHIVE successfully retrieved."
+  fi
+  return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+  ARCHIVE=$1
+
+  RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+  if [[ $? -ne 0 ]]; then
+    determine_resulting_error_code "${RESULT}"
+    return $?
+  else
+    echo "Archive ${ARCHIVE} successfully deleted."
+  fi
+  return 0
+}
+
+# Display all archives
+list_archives() {
+  REMOTE=$1
+
+  if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+    retrieve_remote_listing
+    if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+      echo
+      echo "All Archives from RGW Data Store"
+      echo "=============================================="
+      cat $TMP_DIR/archive_list | sort
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+    fi
+  elif [[ "x${REMOTE}" == "x" ]]; then
+    if [[ -d $ARCHIVE_DIR ]]; then
+      archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+      echo
+      echo "All Local Archives"
+      echo "=============================================="
+      for archive in $archives
+      do
+        echo $archive | cut -d '/' -f8-
+      done
+      clean_and_exit 0 ""
+    else
+      clean_and_exit 1 "ERROR: Local archive directory is not available."
+    fi
+  else
+    usage 1
+  fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+
+  if [[ "x$REMOTE" == "xremote" ]]; then
+    echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+    retrieve_remote_archive $ARCHIVE_FILE
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+    fi
+  elif [[ "x$REMOTE" == "x" ]]; then
+    if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+      cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  else
+    usage 1
+  fi
+
+  echo "Decompressing archive $ARCHIVE_FILE..."
+  cd $TMP_DIR
+  tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+  if [[ $? -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Archive decompression failed."
+  fi
+}
+
+# Display all databases from an archive
+list_databases() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one database per line
+  get_databases $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  REMOTE=$3
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_tables $DATABASE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the database listing will be put into
+  # the given file one table per line
+  get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+  ARCHIVE_FILE=$1
+  DATABASE=$2
+  TABLE=$3
+  REMOTE=$4
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  # Get the archive from the source location (local/remote)
+  get_archive $ARCHIVE_FILE $REMOTE
+
+  # Expectation is that the schema information will be placed into
+  # the given schema file.
+  get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+  if [[ "$?" -ne 0 ]]; then
+    clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+
+  if [[ -f "$RESULT_FILE" ]]; then
+    echo " "
+    echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+    echo "================================================================================"
+    cat $RESULT_FILE
+  else
+    clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+  fi
+}
+
+# Delete an archive
+delete_archive() {
+  ARCHIVE_FILE=$1
+  REMOTE=$2
+  WHERE="local"
+
+  if [[ -n ${REMOTE} ]]; then
+    WHERE="remote"
+  fi
+
+  if [[ "${WHERE}" == "remote" ]]; then
+    delete_remote_archive ${ARCHIVE_FILE}
+    if [[ $? -ne 0 ]]; then
+      clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+    fi
+  else # Local
+    if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+      rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+      if [[ $? -ne 0 ]]; then
+        clean_and_exit 1 "ERROR: Could not delete local archive."
+      fi
+    else
+      clean_and_exit 1 "ERROR: Local archive file could not be found."
+    fi
+  fi
+
+  echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+  DB=$1
+
+  grep "${DB}" ${RESULT_FILE}
+  if [[ $? -eq 0 ]]; then
+    return 1
+  fi
+  return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+  ARGS=("$@")
+
+  # Create the ARCHIVE DIR if it's not already there.
+  mkdir -p $ARCHIVE_DIR
+
+  # Create temp directory for a staging area to decompress files into
+  export TMP_DIR=$(mktemp -d)
+
+  # Create a temp file for storing list of databases (if needed)
+  export RESULT_FILE=$(mktemp -p /tmp)
+
+  case "${ARGS[0]}" in
+    "help")
+      usage 0
+      ;;
+
+    "list_archives")
+      if [[ ${#ARGS[@]} -gt 2 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 1 ]]; then
+        list_archives
+      else
+        list_archives ${ARGS[1]}
+      fi
+      clean_and_exit 0
+      ;;
+
+    "list_databases")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        list_databases ${ARGS[1]}
+      else
+        list_databases ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+
+    "list_tables")
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 3 ]]; then
+        list_tables ${ARGS[1]} ${ARGS[2]}
+      else
+        list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      fi
+      ;;
+
+    "list_rows")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "list_schema")
+      if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+      else
+        list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+      fi
+      ;;
+
+    "restore")
+      REMOTE=""
+      if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 4 ]]; then
+        REMOTE=${ARGS[3]}
+      fi
+
+      ARCHIVE=${ARGS[1]}
+      DB_SPEC=${ARGS[2]}
+
+      #Get all the databases in that archive
+      get_archive $ARCHIVE $REMOTE
+
+      if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+        # Expectation is that the database listing will be put into
+        # the given file one database per line
+        get_databases $TMP_DIR $RESULT_FILE
+        if [[ "$?" -ne 0 ]]; then
+          clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+        fi
+
+        if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+          #check if the requested database is available in the archive
+          database_exists $DB_SPEC
+          if [[ $? -ne 1 ]]; then
+            clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+          fi
+        fi
+
+        echo "Restoring Database $DB_SPEC And Grants"
+        restore_single_db $DB_SPEC $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "Single database restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Single database restore failed."
+        fi
+        clean_and_exit 0 ""
+      else
+        echo "Restoring All The Databases. This could take a few minutes..."
+        restore_all_dbs $TMP_DIR
+        if [[ "$?" -eq 0 ]]; then
+          echo "All databases restored successfully."
+        else
+          clean_and_exit 1 "ERROR: Database restore failed."
+        fi
+        clean_and_exit 0 ""
+      fi
+      ;;
+    "delete_archive")
+      if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+        usage 1
+      elif [[ ${#ARGS[@]} -eq 2 ]]; then
+        delete_archive ${ARGS[1]}
+      else
+        delete_archive ${ARGS[1]} ${ARGS[2]}
+      fi
+      ;;
+    *)
+      usage 1
+      ;;
+  esac
+
+  clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Resolves an image reference to a string, and its pull policy
+values: |
+  images:
+    tags:
+      test_image: docker.io/port/test:version-foo
+      image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - image_foo
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    local_image_registry:
+      name: docker-registry
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        internal: docker-registry
+        node: localhost
+      host_fqdn_override:
+        default: null
+      port:
+        registry:
+          node: 5000
+usage: |
+  {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+  image: "localhost:5000/docker.io/port/test:version-foo"
+  imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, equivlant to an openrc for
+  use with keystone based command line clients.
+values: |
+  secrets:
+    identity:
+      admin: example-keystone-admin
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+  - name: OS_IDENTITY_API_VERSION
+    value: "3"
+  - name: OS_AUTH_URL
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_AUTH_URL
+  - name: OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_REGION_NAME
+  - name: OS_INTERFACE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_ENDPOINT_TYPE
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_INTERFACE
+  - name: OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PROJECT_NAME
+  - name: OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USER_DOMAIN_NAME
+  - name: OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_USERNAME
+  - name: OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_PASSWORD
+  - name: OS_CACERT
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-admin
+        key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+  value: "3"
+- name: OS_AUTH_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_AUTH_URL
+- name: OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: OS_INTERFACE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a set of container enviorment variables, for use with the keystone
+  user management jobs.
+values: |
+  secrets:
+    identity:
+      service_user: example-keystone-user
+usage: |
+  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+  - name: SERVICE_OS_REGION_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_REGION_NAME
+  - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_DOMAIN_NAME
+  - name: SERVICE_OS_PROJECT_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PROJECT_NAME
+  - name: SERVICE_OS_USER_DOMAIN_NAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USER_DOMAIN_NAME
+  - name: SERVICE_OS_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_USERNAME
+  - name: SERVICE_OS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: example-keystone-user
+        key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ksUserSecret }}
+      key: OS_PASSWORD
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a configmap used for loading custom AppArmor profiles.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor_profiles: |-
+        my_apparmor-v1.profile: |-
+          #include <tunables/global>
+          profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+            <profile_data>
+          }
+usage: |
+  {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: releaseName-myComponent-apparmor
+  namespace: myNamespace
+data:
+  my_apparmor-v1.profile: |-
+    #include <tunables/global>
+    profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+      <profile_data>
+    }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $mapName }}
+  namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the init container used for apparmor loading.
+values: |
+  images:
+    tags:
+      apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+      apparmor-loader: unconfined
+usage: |
+  {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+  - name: apparmor-loader
+    image: my-repo.io/apparmor-loader:1.0.0
+    args:
+      - /profiles
+    securityContext:
+      privileged: true
+    volumeMounts:
+      - name: sys
+        mountPath: /sys
+        readOnly: true
+      - name: includes
+        mountPath: /etc/apparmor.d
+        readOnly: true
+      - name: profiles
+        mountPath: /profiles
+        readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+  image: {{ $envAll.Values.images.tags.apparmor_loader }}
+  args:
+    - /profiles
+  securityContext:
+    privileged: true
+  volumeMounts:
+    - name: sys
+      mountPath: /sys
+      readOnly: true
+    - name: includes
+      mountPath: /etc/apparmor.d
+      readOnly: true
+    - name: profiles
+      mountPath: /profiles
+      readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders the volumes used by the apparmor loader.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      configmap_apparmor: true
+inputs: |
+  envAll: "Environment or Context."
+  component: "Name of the component used for the name of configMap."
+  requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+  {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+  hostPath:
+    path: /sys
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: RELEASENAME-keystone-apparmor
+    defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+  hostPath:
+    path: /sys
+{{- end }}
+- name: includes
+  hostPath:
+    path: /etc/apparmor.d
+- name: profiles
+  configMap:
+    name: {{ $configName | quote }}
+    defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a container definition for use with the kubernetes-entrypoint image
+  from stackanetes.
+values: |
+  images:
+    tags:
+      dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    pull_policy: IfNotPresent
+    local_registry:
+      active: true
+      exclude:
+        - dep_check
+  dependencies:
+    dynamic:
+      common:
+        local_image_registry:
+          jobs:
+            - calico-image-repo-sync
+          services:
+            - endpoint: node
+              service: local_image_registry
+    static:
+      calico_node:
+        services:
+          - endpoint: internal
+            service: etcd
+        custom_resources:
+          - apiVersion: argoproj.io/v1alpha1
+            kind: Workflow
+            name: wf-example
+            fields:
+              - key: "status.phase"
+                value: "Succeeded"
+  endpoints:
+    local_image_registry:
+      namespace: docker-registry
+      hosts:
+        default: localhost
+        node: localhost
+    etcd:
+      hosts:
+        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
+usage: |
+  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+  - name: init
+    image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
+    env:
+      - name: POD_NAME
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.name
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+      - name: INTERFACE_NAME
+        value: eth0
+      - name: PATH
+        value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+      - name: DEPENDENCY_SERVICE
+        value: "default:etcd,docker-registry:localhost"
+      - name: DEPENDENCY_JOBS
+        value: "calico-image-repo-sync"
+      - name: DEPENDENCY_DAEMONSET
+        value: ""
+      - name: DEPENDENCY_CONTAINER
+        value: ""
+      - name: DEPENDENCY_POD_JSON
+        value: ""
+      - name: DEPENDENCY_CUSTOM_RESOURCE
+        value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+    command:
+      - kubernetes-entrypoint
+    volumeMounts:
+      []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+  env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+    - name: INTERFACE_NAME
+      value: eth0
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+    - name: DEPENDENCY_SERVICE
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+  {{- if kindIs "string" (index $deps.jobs 0) }}
+    - name: DEPENDENCY_JOBS
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+  {{- else }}
+    - name: DEPENDENCY_JOBS_JSON
+      value: {{- toJson $deps.jobs | quote -}}
+  {{- end -}}
+{{- end }}
+    - name: DEPENDENCY_DAEMONSET
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+    - name: DEPENDENCY_CONTAINER
+      value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+    - name: DEPENDENCY_POD_JSON
+      value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+    - name: DEPENDENCY_CUSTOM_RESOURCE
+      value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+  command:
+    - kubernetes-entrypoint
+  volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders mandatory access control annotations for a list of containers
+  driven by values.yaml. As of now, it can only generate an apparmor
+  annotation, but in the future could generate others.
+values: |
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      myPodName:
+        myContainerName: localhost/myAppArmor
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+  container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+  container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders a set of standardised labels
+values: |
+  release_group: null
+  pod:
+    labels:
+      default:
+        label1.example.com: value
+      bar:
+        label2.example.com: bar
+usage: |
+  {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+  release_group: RELEASE-NAME
+  application: foo
+  component: bar
+  label1.example.com: value
+  label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes anti affinity rules, this function supports both hard
+  'requiredDuringSchedulingIgnoredDuringExecution' and soft
+  'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+  pod:
+    affinity:
+      anti:
+        topologyKey:
+          default: kubernetes.io/hostname
+        type:
+          default: requiredDuringSchedulingIgnoredDuringExecution
+        weight:
+          default: 10
+usage: |
+  {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - RELEASE-NAME
+          - key: application
+            operator: In
+            values:
+            - appliction_x
+          - key: component
+            operator: In
+            values:
+            - component_y
+          topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+{{ $matchExpressions | indent 10 }}
+      topologyKey: {{ $antiAffinityKey }}
+{{- if  $envAll.Values.pod.affinity.anti.weight }}
+    weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+    weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+  {{ $antiAffinityType }}:
+  - labelSelector:
+      matchExpressions:
+{{ $matchExpressions | indent 8 }}
+    topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders image pull secrets for a pod
+values: |
+  pod:
+    image_pull_secrets:
+      default:
+        - name: some-pull-secret
+      bar:
+        - name: another-pull-secret
+usage: |
+  {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+  imagePullSecrets:
+    - name: some-pull-secret
+    - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{ if eq $v "secrets" }}
+      - secrets
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes pod.
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+  runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes liveness and readiness probes for containers
+values: |
+  pod:
+    probes:
+      api:
+        default:
+          readiness:
+            enabled: true
+            params:
+              initialDelaySeconds: 30
+              timeoutSeconds: 30
+usage: |
+  {{- define "probeTemplate" }}
+  httpGet:
+    path: /status
+    port: 9090
+  {{- end }}
+  {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+  readinessProbe:
+    httpGet:
+      path: /status
+      port: 9090
+    initialDelaySeconds: 30
+    timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+  Renders kubernetes resource limits for pods
+values: |
+  pod:
+    resources:
+      enabled: true
+      api:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+          hugepages-1Gi: "1Gi"
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+  resources:
+    limits:
+      cpu: "2000m"
+      memory: "1024Mi"
+      hugepages-1Gi: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+  pod:
+    seccomp:
+      myPodName:
+        myContainerName: localhost/mySeccomp
+        mySecondContainerName: localhost/secondProfile # optional
+        myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+  {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+  container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+  container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+  container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+  The number of container underneath is a variable arguments. It loops through
+  all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders kubernetes tolerations for pods
+values: |
+  pod:
+    tolerations:
+      api:
+        enabled: true
+        tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: node-role.kubernetes.io/node
+          operator: Exists
+
+usage: |
+  {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+  - key: node-role.kubernetes.io/node
+    operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+  type: {{ $pod_replacement_strategy }}
+  {{- if $pod_replacement_strategy }}
+  {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .max_unavailable }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+  type: {{ .pod_replacement_strategy }}
+  {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+  rollingUpdate:
+    maxUnavailable: {{ .rolling_update.max_unavailable }}
+    maxSurge: {{ .rolling_update.max_surge }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders upgradeStrategy configuration for Kubernetes statefulsets.
+  See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+  Types:
+    - RollingUpdate (default)
+    - OnDelete
+  Partitions:
+    - Stage updates to a statefulset by keeping pods at current version while
+      allowing mutations to statefulset's .spec.template
+values: |
+  pod:
+    lifecycle:
+      upgrades:
+        statefulsets:
+          pod_replacement_strategy: RollingUpdate
+          partition: 2
+usage: |
+  {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+  type: {{ .pod_replacement_strategy }}
+  {{ if .partition -}}
+  rollingUpdate:
+    partition: {{ .partition }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+    #!/bin/bash
+
+    : "${NS:=ceph}"
+    : "${EP:=ceph-mon-discovery}"
+
+    {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+    MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+    if [ -z "$MON_HOST" ]; then
+        # deal with failure
+    else
+        sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+    fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+  local ns=$1
+  local ep=$2
+
+  if [ -z "$ns" ] || [ -z "$ep" ]; then
+    return 1
+  fi
+
+  # We don't want shell expansion for the go-template expression
+  # shellcheck disable=SC2016
+  kubectl get endpoints -n "$ns" "$ep" -o go-template='
+    {{- $sep := "" }}
+    {{- range $_,$s := .subsets }}
+      {{- $v2port := 0 }}
+      {{- $v1port := 0 }}
+      {{- range $_,$port := index $s "ports" }}
+        {{- if (eq $port.name "mon-msgr2") }}
+          {{- $v2port = $port.port }}
+        {{- else if (eq $port.name "mon") }}
+          {{- $v1port = $port.port }}
+        {{- end }}
+      {{- end }}
+      {{- range $_,$address := index $s "addresses" }}
+        {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+        {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+        {{- if (and $v2port $v1port) }}
+          {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v2port }}
+          {{- printf "%s[%s]" $sep $v2endpoint }}
+          {{- $sep = "," }}
+        {{- else if $v1port }}
+          {{- printf "%s[%s]" $sep $v1endpoint }}
+          {{- $sep = "," }}
+        {{- end }}
+      {{- end }}
+    {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Reneders an attonation key and value for a release
+values: |
+  release_uuid: null
+usage: |
+  {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+  "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3AdminSecret }}
+      key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+  {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $s3secret }}
+      key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a secret volume for tls.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name of the volume (required)
+    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+  - name: glance-tls-api
+    secret:
+      secretName: glance-tls-api
+      defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+  secret:
+    secretName: {{ $secretName }}
+    defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+  Renders a volume mount for TLS key, cert and CA.
+
+  Dictionary Parameters:
+    enabled: boolean check if you want to conditional disable this snippet (optional)
+    name: name that of the volume and should match the volume name (required)
+    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+          the default is the full set. (optional)
+
+values: |
+  manifests:
+    certificates: true
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/tls.key
+    subPath: tls.key
+    readOnly: true
+  - name: glance-tls-api
+    mountPath: /etc/glance/certs/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
+abstract: |
+  This mounts a specific issuing CA only for service validation
+
+usage: |
+  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+  - name: glance-tls-api
+    mountPath: /etc/ssl/certs/openstack-helm.crt
+    subPath: ca.crt
+    readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+  mountPath: "/etc/ssl/certs/openstack-helm.crt"
+  subPath: ca.crt
+  readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+  mountPath: {{ printf "%s/%s" $path $value }}
+  subPath: {{ $value }}
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders out configuration sections into a format suitable for incorporation
+  into a config-map. Allowing various forms of input to be rendered out as
+  appropriate.
+values: |
+  conf:
+    inputs:
+      - foo
+      - bar
+    some:
+      config_to_render: |
+        #We can use all of gotpl here: eg macros, ranges etc.
+        {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+      config_to_complete:
+        #here we can fill out params, but things need to be valid yaml as input
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+      static_config:
+        #this is just passed though as yaml to the configmap
+        foo: bar
+usage: |
+  {{- $envAll := . }}
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+  {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+  ---
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: application-etc
+  data:
+    config_to_render.conf: |
+      #We can use all of gotpl here: eg macros, ranges etc.
+      foo,bar
+
+    config_to_complete.yaml: |
+      'RELEASE-NAME': 'default-namespace'
+
+    static_config.yaml: |
+      foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/senlin/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority. If the "encode" parameter
+  is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    # Use ca.crt and ca.key to build a customized ca, if they are provided.
+    # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-00:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a comma separated list of namespace:service pairs.
+values: |
+  dependencies:
+    static:
+      api:
+        services:
+          - endpoint: internal
+            service: oslo_cache
+          - endpoint: internal
+            service: oslo_db
+  endpoints:
+    oslo_db:
+      namespace: foo
+      hosts:
+        default: mariadb
+    oslo_cache:
+      namespace: bar
+      hosts:
+        default: memcache
+usage: |
+  {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+  bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+  {{- $daemonset := index . 0 }}
+  {{- $daemonset_yaml := index . 1 }}
+  {{- $configmap_include := index . 2 }}
+  {{- $configmap_name := index . 3 }}
+  {{- $context := index . 4 }}
+  {{- $_ := unset $context ".Files" }}
+  {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+  {{- $_ := set $context.Values "__daemonset_list" list }}
+  {{- $_ := set $context.Values "__default" dict }}
+  {{- if hasKey $context.Values.conf "overrides" }}
+    {{- range $key, $val := $context.Values.conf.overrides }}
+
+      {{- if eq $key $daemonset_root_name }}
+        {{- range $type, $type_data := . }}
+
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset */}}
+              {{- $current_dict := dict }}
+
+              {{/* set daemonset name */}}
+              {{/* Note: long hostnames can cause the 63 char name limit to be
+              exceeded. Truncate the hostname if hostname > 20 char */}}
+              {{- if gt (len $host_data.name) 20 }}
+                {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+              {{- else }}
+                {{- $_ := set $current_dict "name" $host_data.name }}
+              {{- end }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $host_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to this host explicitly. */}}
+              {{- $nodeSelector_dict := dict }}
+
+              {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+              {{- $list_aggregate := list $nodeSelector_dict }}
+              {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+            {{- end }}
+          {{- end }}
+
+          {{- if eq $type "labels" }}
+            {{- $_ := set $context.Values "__label_list" . }}
+            {{- range $label_data := . }}
+              {{/* dictionary that will contain all info needed to generate this
+              iteration of the daemonset. */}}
+              {{- $_ := set $context.Values "__current_label" dict }}
+
+              {{/* set daemonset name */}}
+              {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+              {{/* apply overrides */}}
+              {{- $override_conf_copy := $label_data.conf }}
+              {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+              {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+              {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+              {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+              {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+              {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+              {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+              {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+              {{/* Schedule to the provided label value(s) */}}
+              {{- $label_dict := omit $label_data.label "NULL" }}
+              {{- $_ := set $label_dict "operator" "In" }}
+              {{- $list_aggregate := list $label_dict }}
+              {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+              {{/* Do not schedule to other specified labels, with higher
+              precedence as the list position increases. Last defined label
+              is highest priority. */}}
+              {{- $other_labels := without $context.Values.__label_list $label_data }}
+              {{- range $label_data2 := $other_labels }}
+                {{- $label_dict := omit $label_data2.label "NULL" }}
+
+                {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+              {{- end }}
+              {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+              {{/* Do not schedule to any other specified hosts */}}
+              {{- range $type, $type_data := $val }}
+                {{- if eq $type "hosts" }}
+                  {{- range $host_data := . }}
+                    {{- $label_dict := dict }}
+
+                    {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+                    {{- $_ := set $label_dict "operator" "NotIn" }}
+
+                    {{- $values_list := list $host_data.name }}
+                    {{- $_ := set $label_dict "values" $values_list }}
+
+                    {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+                    {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+
+              {{/* store completed daemonset entry/info into global list */}}
+              {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+              {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+              {{- $_ := unset $context.Values "__current_label" }}
+
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+        {{/* scheduler exceptions for the default daemonset */}}
+        {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+        {{- range $type, $type_data := . }}
+          {{/* Do not schedule to other specified labels */}}
+          {{- if eq $type "labels" }}
+            {{- range $label_data := . }}
+              {{- $default_dict := omit $label_data.label "NULL" }}
+
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+          {{/* Do not schedule to other specified hosts */}}
+          {{- if eq $type "hosts" }}
+            {{- range $host_data := . }}
+              {{- $default_dict := dict }}
+
+              {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+              {{- $_ := set $default_dict "operator" "NotIn" }}
+
+              {{- $values_list := list $host_data.name }}
+              {{- $_ := set $default_dict "values" $values_list }}
+
+              {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+              {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+
+  {{/* generate the default daemonset */}}
+
+  {{/* set name */}}
+  {{- $_ := set $context.Values.__default "name" "default" }}
+
+  {{/* no overrides apply, so copy as-is */}}
+  {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+  {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+  {{- $context_values := omit $context.Values "conf" }}
+  {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+  {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+  {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+  {{/* add to global list */}}
+  {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+  {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+  {{- range $current_dict := $context.Values.__daemonset_list }}
+
+    {{- $context_novalues := omit $context "Values" }}
+    {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+    {{- $_ := set $current_dict "nodeData" $merged_dict }}
+    {{/* Deep copy original daemonset_yaml */}}
+    {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+    {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+    {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+    {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+    there may be other valid label names which would make for an invalid DNS-1123 name
+    but these will be easier to handle in future with sprig regex* functions
+    (not availabile in helm 2.5.1) */}}
+    {{- $name_format2 := $name_format1 | replace "_" "-" }}
+    {{/* To account for the case where the same label is defined multiple times in overrides
+    (but with different label values), we add a sha of the scheduling data to ensure
+    name uniqueness */}}
+    {{- $_ := set $current_dict "dns_1123_name" dict }}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+    {{- else }}
+      {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+    {{- end }}
+
+    {{/* set daemonset metadata name */}}
+    {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+    {{/* cross-reference configmap name to container volume definitions */}}
+    {{- $_ := set $context.Values "__volume_list" list }}
+    {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+      {{- $_ := set $context.Values "__volume" $current_volume }}
+      {{- if hasKey $context.Values.__volume "secret" }}
+        {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+          {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+        {{- end }}
+      {{- end }}
+      {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+      {{- $_ := set $context.Values "__volume_list" $updated_list }}
+    {{- end }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+    {{/* populate scheduling restrictions */}}
+    {{- if hasKey $current_dict "matchExpressions" }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+      {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+      {{- $match_exprs := dict }}
+      {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+      {{- $appended_match_expr := list $match_exprs }}
+      {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+    {{- end }}
+
+    {{/* input value hash for current set of values overrides */}}
+    {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+    {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+    {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+    {{- $values_hash := $cmap | quote | sha256sum }}
+    {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+    {{/* generate configmap */}}
+---
+{{ $cmap }}
+    {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+  {{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+  endpoints:
+    cluster_domain_suffix: cluster.local
+    oslo_db:
+      hosts:
+        default: mariadb
+      host_fqdn_override:
+        default: mariadb
+usage: |
+  {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+  hosts:
+  - mariadb
+  - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+  foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a comma seperated string with single quotes
+  around each value.
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+  'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of prefixed values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+  prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Joins a list of values into a space separated string
+values: |
+  test:
+    - foo
+    - bar
+usage: |
+  {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+  foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "merge_same_named" false -}}
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $local "values" $.values -}}
+    {{- if hasKey $ "merge_same_named" -}}
+      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $_ := set $local "values" $ -}}
+  {{- end -}}
+
+  {{- $target := first $local.values -}}
+  {{- range $item := rest $local.values -}}
+    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+    {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+    {{- $_ := set $local "result" $call.result -}}
+  {{- end -}}
+
+  {{- if kindIs "map" $ -}}
+    {{- $_ := set $ "result" $local.result -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+  {{- $local := dict -}}
+
+  {{- $_ := set $ "result" $.source -}}
+
+  {{/*
+  TODO: Should we `fail` when trying to merge a collection (map or slice) with
+  either a different kind of collection or a scalar?
+  */}}
+
+  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+    {{- range $key, $sourceValue := $.source -}}
+      {{- if not (hasKey $.target $key) -}}
+        {{- $_ := set $local "newTargetValue" $sourceValue -}}
+        {{- if kindIs "map" $sourceValue -}}
+          {{- $copy := dict -}}
+          {{- $call := dict "target" $copy "source" $sourceValue -}}
+          {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+          {{- $_ := set $local "newTargetValue" $copy -}}
+        {{- end -}}
+      {{- else -}}
+        {{- $targetValue := index $.target $key -}}
+        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+        {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+        {{- $_ := set $local "newTargetValue" $call.result -}}
+      {{- end -}}
+      {{- $_ := set $.target $key $local.newTargetValue -}}
+    {{- end -}}
+    {{- $_ := set $ "result" $.target -}}
+  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+    {{- $call := dict "target" $.target "source" $.source -}}
+    {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+    {{- if $.merge_same_named -}}
+      {{- $_ := set $local "result" list -}}
+      {{- $_ := set $local "named_items" dict -}}
+      {{- range $item := $call.result -}}
+      {{- $_ := set $local "has_name_key" false -}}
+        {{- if kindIs "map" $item -}}
+          {{- if hasKey $item "name" -}}
+            {{- $_ := set $local "has_name_key" true -}}
+          {{- end -}}
+        {{- end -}}
+
+        {{- if $local.has_name_key -}}
+          {{- if hasKey $local.named_items $item.name -}}
+            {{- $named_item := index $local.named_items $item.name -}}
+            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+            {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+          {{- else -}}
+            {{- $copy := dict -}}
+            {{- $copy_call := dict "target" $copy "source" $item -}}
+            {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+            {{- $_ := set $local.named_items $item.name $copy -}}
+            {{- $_ := set $local "result" (append $local.result $copy) -}}
+          {{- end -}}
+        {{- else -}}
+          {{- $_ := set $local "result" (append $local.result $item) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set $local "result" $call.result -}}
+    {{- end -}}
+    {{- $_ := set $ "result" (uniq $local.result) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+  {{- range $key, $value := $.source -}}
+    {{- $_ := set $.target $key $value -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+  {{- $local := dict -}}
+  {{- $_ := set $local "result" $.target -}}
+  {{- range $value := $.source -}}
+    {{- $_ := set $local "result" (append $local.result $value) -}}
+  {{- end -}}
+  {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_template.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns INI formatted output from yaml input
+values: |
+  conf:
+    paste:
+      filter:debug:
+        use: egg:oslo.middleware#debug
+      filter:request_id:
+        use: egg:oslo.middleware#request_id
+      filter:build_auth_context:
+        use: egg:keystone#build_auth_context
+usage: |
+  {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+  [filter:build_auth_context]
+  use = egg:keystone#build_auth_context
+  [filter:debug]
+  use = egg:oslo.middleware#debug
+  [filter:request_id]
+  use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair formatted to be used in k8s templates as container
+  env vars.
+values: |
+  test:
+    foo: bar
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+  value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns key value pair in INI format (key = value)
+values: |
+  conf:
+    libvirt:
+      log_level: 3
+usage: |
+  {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+  log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value :=  . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns OSLO.conf formatted output from yaml input
+values: |
+  conf:
+    keystone:
+      DEFAULT: # Keys at this level are used for section headings
+        max_token_size: 255
+      oslo_messaging_notifications:
+        driver: # An example of a multistring option's syntax
+          type: multistring
+          values:
+            - messagingv2
+            - log
+      oslo_messaging_notifications_stein:
+        driver: # An example of a csv option's syntax
+          type: csv
+          values:
+            - messagingv2
+            - log
+      security_compliance:
+        password_expires_ignore_user_ids:
+        # Values in a list will be converted to a comma separated key
+          - "123"
+          - "456"
+usage: |
+  {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+  [DEFAULT]
+  max_token_size = 255
+  [oslo_messaging_notifications]
+  driver = messagingv2
+  driver = log
+  [oslo_messaging_notifications_stein]
+  driver = messagingv2,log
+  [security_compliance]
+  password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/values.yaml b/charts/senlin/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/senlin/requirements.lock b/charts/senlin/requirements.lock
new file mode 100644
index 0000000..8fc523d
--- /dev/null
+++ b/charts/senlin/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: 0.2.44
+digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
+generated: "2022-08-10T23:42:35.775397606Z"
diff --git a/charts/senlin/requirements.yaml b/charts/senlin/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/senlin/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: file://../../openstack-helm-infra/helm-toolkit
+    version: ">= 0.1.0"
diff --git a/charts/senlin/templates/bin/_bootstrap.sh.tpl b/charts/senlin/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/senlin/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/senlin/templates/bin/_db-sync.sh.tpl b/charts/senlin/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..7577969
--- /dev/null
+++ b/charts/senlin/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+senlin-manage db_sync
diff --git a/charts/senlin/templates/bin/_senlin-api.sh.tpl b/charts/senlin/templates/bin/_senlin-api.sh.tpl
new file mode 100644
index 0000000..e7de2c1
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-api.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+  exec senlin-api \
+        --config-file /etc/senlin/senlin.conf
+}
+
+function stop () {
+  kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/senlin/templates/bin/_senlin-conductor.sh.tpl b/charts/senlin/templates/bin/_senlin-conductor.sh.tpl
new file mode 100644
index 0000000..ea120a6
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-conductor.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec senlin-conductor \
+      --config-file /etc/senlin/senlin.conf
\ No newline at end of file
diff --git a/charts/senlin/templates/bin/_senlin-engine-cleaner.sh.tpl b/charts/senlin/templates/bin/_senlin-engine-cleaner.sh.tpl
new file mode 100644
index 0000000..a345f12
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-engine-cleaner.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+senlin-manage service clean
diff --git a/charts/senlin/templates/bin/_senlin-engine.sh.tpl b/charts/senlin/templates/bin/_senlin-engine.sh.tpl
new file mode 100644
index 0000000..f4ba64b
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-engine.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec senlin-engine \
+      --config-file /etc/senlin/senlin.conf
diff --git a/charts/senlin/templates/bin/_senlin-health-manager.sh.tpl b/charts/senlin/templates/bin/_senlin-health-manager.sh.tpl
new file mode 100644
index 0000000..b19779a
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-health-manager.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec senlin-health-manager \
+      --config-file /etc/senlin/senlin.conf
\ No newline at end of file
diff --git a/charts/senlin/templates/bin/_senlin-test.sh.tpl b/charts/senlin/templates/bin/_senlin-test.sh.tpl
new file mode 100644
index 0000000..7b3e264
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-test.sh.tpl
@@ -0,0 +1,139 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# Set defaults to use for testing.
+: ${IMAGE_ID:="$(openstack image show -f value -c id \
+  $(openstack image list -f csv | awk -F ',' '{ print $2 "," $1 }' | \
+    grep "^\"Cirros" | head -1 | awk -F ',' '{ print $2 }' | tr -d '"'))"}
+: ${FLAVOR_ID:="$(openstack flavor show m1.tiny -f value -c id)"}
+: ${NETWORK_NAME:="public"}
+: ${SUB_TIMEOUT:=1200}
+
+# Define functions to use during tests.
+function gen_uuid () {
+  cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1
+}
+
+function wait_for_senlin_cluster {
+  set +x
+  end=$(($(date +%s) + ${SUB_TIMEOUT}))
+  while true; do
+      STATE=$(openstack cluster show "${1}" -f value -c status)
+      [ "x${STATE}" == "xACTIVE" ] && break
+      sleep 1
+      now=$(date +%s)
+      [ $now -gt $end ] && echo "Node did not come up in time" && openstack cluster show "${1}" && exit -1
+  done
+  set -x
+  openstack cluster show "${1}"
+}
+
+function wait_for_senlin_node {
+  set +x
+  end=$(($(date +%s) + ${SUB_TIMEOUT}))
+  while true; do
+      STATE=$(openstack cluster node show "${1}" -f value -c status)
+      [ "x${STATE}" == "xACTIVE" ] && break
+      sleep 1
+      now=$(date +%s)
+      [ $now -gt $end ] && echo "Node did not come up in time" && openstack cluster node show "${1}" && exit -1
+  done
+  set -x
+  openstack cluster node show "${1}"
+}
+
+function wait_for_senlin_profile_delete {
+  set +x
+  end=$(($(date +%s) + ${SUB_TIMEOUT}))
+  until openstack cluster profile delete "${1}" --force; do
+      sleep 1
+      now=$(date +%s)
+      [ $now -gt $end ] && echo "Profile did not delete in time" && exit -1
+  done
+  set -x
+}
+
+# Start test run.
+SENLIN_CLUSTER_PROFILE=$(gen_uuid)
+SENLIN_CLUSTER_NAME=$(gen_uuid)
+SENLIN_NODE_NAME=$(gen_uuid)
+
+# Create a cluster profile.
+tee > /tmp/cirros_basic.yaml <<EOF
+type: os.nova.server
+version: 1.0
+properties:
+  name: osh-test
+  flavor: "${FLAVOR_ID}"
+  image: "${IMAGE_ID}"
+  #key_name: oskey
+  networks:
+   - network: ${NETWORK_NAME}
+  metadata:
+    test_key: test_value
+  user_data: |
+    #!/bin/sh
+    echo 'hello, world' > /tmp/test_file
+EOF
+openstack cluster profile create --spec-file /tmp/cirros_basic.yaml "${SENLIN_CLUSTER_PROFILE}"
+
+# Create a 0 node cluster using the profile.
+# NOTE(portdirect): There is a bug in the Newton era osc/senlin client
+# interaction, so we fall back to calling senlin client directly to create
+# a cluster, before outright failing.
+openstack cluster create --profile "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_CLUSTER_NAME}" || \
+  senlin cluster-create -p "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_CLUSTER_NAME}" || false
+
+# Resize the cluster to contain a node.
+openstack cluster resize --capacity 1 "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+
+# Expand the cluster by one node.
+openstack cluster expand "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+
+# Shrink the cluster by one node.
+openstack cluster shrink "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+
+# Create a single node using the cluster profile.
+# NOTE(portdirect): There is a bug in the Newton era osc/senlin client
+# interaction, so we fall back to calling senlin client directly to create
+# a node, before outright failing.
+openstack cluster node create --profile "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_NODE_NAME}" || \
+  senlin node-create -p "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_NODE_NAME}" || false
+wait_for_senlin_node "${SENLIN_NODE_NAME}"
+
+# Add the node to the cluster.
+openstack cluster members add --nodes "${SENLIN_NODE_NAME}" "${SENLIN_CLUSTER_NAME}"
+openstack cluster members list "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_node "${SENLIN_NODE_NAME}"
+
+# Remove the node from the cluster.
+openstack cluster members del --nodes "${SENLIN_NODE_NAME}" "${SENLIN_CLUSTER_NAME}"
+openstack cluster members list "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_node "${SENLIN_NODE_NAME}"
+
+# Cleanup the resources created.
+openstack cluster node delete "${SENLIN_NODE_NAME}" --force
+openstack cluster delete "${SENLIN_CLUSTER_NAME}" --force
+wait_for_senlin_profile_delete "${SENLIN_CLUSTER_PROFILE}"
+
+echo 'Tests Passed'
diff --git a/charts/senlin/templates/configmap-bin.yaml b/charts/senlin/templates/configmap-bin.yaml
new file mode 100644
index 0000000..1236ddc
--- /dev/null
+++ b/charts/senlin/templates/configmap-bin.yaml
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: senlin-bin
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+  senlin-test.sh: |
+{{ tuple "bin/_senlin-test.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  senlin-api.sh: |
+{{ tuple "bin/_senlin-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  senlin-conductor.sh: |
+{{ tuple "bin/_senlin-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  senlin-engine.sh: |
+{{ tuple "bin/_senlin-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  senlin-engine-cleaner.sh: |
+{{ tuple "bin/_senlin-engine-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  senlin-health-manager.sh: |
+{{ tuple "bin/_senlin-health-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/senlin/templates/configmap-etc.yaml b/charts/senlin/templates/configmap-etc.yaml
new file mode 100644
index 0000000..a47a3a4
--- /dev/null
+++ b/charts/senlin/templates/configmap-etc.yaml
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.senlin.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+# FIXME(alanmeadows) fix for broken keystonemiddleware oslo config gen in newton - will remove in future
+{{- if empty .Values.conf.senlin.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "region_name" .Values.endpoints.identity.auth.senlin.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "project_name" .Values.endpoints.identity.auth.senlin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.senlin.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.senlin.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "username" .Values.endpoints.identity.auth.senlin.username -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "password" .Values.endpoints.identity.auth.senlin.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.senlin.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.database.connection -}}
+{{- $_ := tuple "oslo_db" "internal" "senlin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.senlin.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "senlin" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.senlin.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.senlin_api.bind_port -}}
+{{- $_ := tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.senlin.senlin_api "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.authentication.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.senlin.authentication "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_password -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_password" .Values.endpoints.identity.auth.senlin.password -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_project_domain -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_project_domain" .Values.endpoints.identity.auth.senlin.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_project_name -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_project_name" .Values.endpoints.identity.auth.senlin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_user_domain -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_user_domain" .Values.endpoints.identity.auth.senlin.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_username -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_username" .Values.endpoints.identity.auth.senlin.username -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: senlin-etc
+type: Opaque
+data:
+  rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+  senlin.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.senlin | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+  policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- end }}
diff --git a/charts/senlin/templates/cron-job-engine-cleaner.yaml b/charts/senlin/templates/cron-job-engine-cleaner.yaml
new file mode 100644
index 0000000..cae292e
--- /dev/null
+++ b/charts/senlin/templates/cron-job-engine-cleaner.yaml
@@ -0,0 +1,91 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_engine_cleaner }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_engine_cleaner := .Values.pod.mounts.senlin_engine_cleaner.senlin_engine_cleaner }}
+{{- $mounts_senlin_engine_cleaner_init := .Values.pod.mounts.senlin_engine_cleaner.init_container }}
+
+{{- $serviceAccountName := "senlin-engine-cleaner" }}
+{{ tuple $envAll "engine_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: senlin-engine-cleaner
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  schedule: {{ .Values.jobs.engine_cleaner.cron | quote }}
+  successfulJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.success }}
+  failedJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.failed }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels:
+{{ tuple $envAll "senlin" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      template:
+        metadata:
+          labels:
+{{ tuple $envAll "senlin" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+        spec:
+          serviceAccountName: {{ $serviceAccountName }}
+          restartPolicy: OnFailure
+          nodeSelector:
+            {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+          initContainers:
+{{ tuple $envAll "engine_cleaner" $mounts_senlin_engine_cleaner_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+          containers:
+            - name: senlin-engine-cleaner
+{{ tuple $envAll "senlin_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+              command:
+                - /tmp/senlin-engine-cleaner.sh
+              volumeMounts:
+                - name: pod-tmp
+                  mountPath: /tmp
+                - name: senlin-bin
+                  mountPath: /tmp/senlin-engine-cleaner.sh
+                  subPath: senlin-engine-cleaner.sh
+                  readOnly: true
+                - name: etcsenlin
+                  mountPath: /etc/senlin
+                - name: senlin-etc
+                  mountPath: /etc/senlin/senlin.conf
+                  subPath: senlin.conf
+                  readOnly: true
+                {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+                - name: senlin-etc
+                  mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+                  subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+                  readOnly: true
+                {{- end }}
+{{ if $mounts_senlin_engine_cleaner.volumeMounts }}{{ toYaml $mounts_senlin_engine_cleaner.volumeMounts | indent 16 }}{{ end }}
+          volumes:
+            - name: pod-tmp
+              emptyDir: {}
+            - name: etcsenlin
+              emptyDir: {}
+            - name: senlin-etc
+              secret:
+                secretName: senlin-etc
+                defaultMode: 0444
+            - name: senlin-bin
+              configMap:
+                name: senlin-bin
+                defaultMode: 0555
+{{ if $mounts_senlin_engine_cleaner.volumes }}{{ toYaml $mounts_senlin_engine_cleaner.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/deployment-api.yaml b/charts/senlin/templates/deployment-api.yaml
new file mode 100644
index 0000000..d6577ff
--- /dev/null
+++ b/charts/senlin/templates/deployment-api.yaml
@@ -0,0 +1,126 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_api := .Values.pod.mounts.senlin_api.senlin_api }}
+{{- $mounts_senlin_api_init := .Values.pod.mounts.senlin_api.init_container }}
+
+{{- $serviceAccountName := "senlin-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: senlin-api
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_senlin_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: senlin-api
+{{ tuple $envAll "senlin_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.senlin.uid }}
+          command:
+            - /tmp/senlin-api.sh
+            - start
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /tmp/senlin-api.sh
+                  - stop
+          ports:
+            - name: s-api
+              containerPort: {{ tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          readinessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: {{ tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: senlin-bin
+              mountPath: /tmp/senlin-api.sh
+              subPath: senlin-api.sh
+              readOnly: true
+            - name: pod-etc-senlin
+              mountPath: /etc/senlin
+            - name: pod-var-cache-senlin
+              mountPath: /var/cache/senlin
+            - name: senlin-etc
+              mountPath: /etc/senlin/senlin.conf
+              subPath: senlin.conf
+              readOnly: true
+            {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+            - name: senlin-etc
+              mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: senlin-etc
+              mountPath: /etc/senlin/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: senlin-etc
+              mountPath: /etc/senlin/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{ if $mounts_senlin_api.volumeMounts }}{{ toYaml $mounts_senlin_api.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-senlin
+          emptyDir: {}
+        - name: pod-var-cache-senlin
+          emptyDir: {}
+        - name: senlin-bin
+          configMap:
+            name: senlin-bin
+            defaultMode: 0555
+        - name: senlin-etc
+          secret:
+            secretName: senlin-etc
+            defaultMode: 0444
+{{ if $mounts_senlin_api.volumes }}{{ toYaml $mounts_senlin_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/deployment-conductor.yaml b/charts/senlin/templates/deployment-conductor.yaml
new file mode 100644
index 0000000..d60ada4
--- /dev/null
+++ b/charts/senlin/templates/deployment-conductor.yaml
@@ -0,0 +1,102 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_conductor }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_conductor := .Values.pod.mounts.senlin_conductor.senlin_conductor }}
+{{- $mounts_senlin_conductor_init := .Values.pod.mounts.senlin_conductor.init_container }}
+
+{{- $serviceAccountName := "senlin-conductor" }}
+{{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: senlin-conductor
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.conductor }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "conductor" $mounts_senlin_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: senlin-conductor
+{{ tuple $envAll "senlin_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.senlin.uid }}
+          command:
+            - /tmp/senlin-conductor.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: senlin-bin
+              mountPath: /tmp/senlin-conductor.sh
+              subPath: senlin-conductor.sh
+              readOnly: true
+            - name: pod-etc-senlin
+              mountPath: /etc/senlin
+            - name: senlin-etc
+              mountPath: /etc/senlin/senlin.conf
+              subPath: senlin.conf
+              readOnly: true
+            {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+            - name: senlin-etc
+              mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: senlin-etc
+              mountPath: /etc/senlin/policy.json
+              subPath: policy.json
+              readOnly: true
+{{ if $mounts_senlin_conductor.volumeMounts }}{{ toYaml $mounts_senlin_conductor.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-senlin
+          emptyDir: {}
+        - name: pod-var-cache-senlin
+          emptyDir: {}
+        - name: senlin-bin
+          configMap:
+            name: senlin-bin
+            defaultMode: 0555
+        - name: senlin-etc
+          secret:
+            secretName: senlin-etc
+            defaultMode: 0444
+{{ if $mounts_senlin_conductor.volumes }}{{ toYaml $mounts_senlin_conductor.volumes | indent 8 }}{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/templates/deployment-engine.yaml b/charts/senlin/templates/deployment-engine.yaml
new file mode 100644
index 0000000..06ed768
--- /dev/null
+++ b/charts/senlin/templates/deployment-engine.yaml
@@ -0,0 +1,99 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_engine }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_engine := .Values.pod.mounts.senlin_engine.senlin_engine }}
+{{- $mounts_senlin_engine_init := .Values.pod.mounts.senlin_engine.init_container }}
+
+{{- $serviceAccountName := "senlin-engine" }}
+{{ tuple $envAll "engine" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: senlin-engine
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.engine }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.engine.node_selector_key }}: {{ .Values.labels.engine.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "engine" $mounts_senlin_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: senlin-engine
+{{ tuple $envAll "senlin_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.senlin.uid }}
+          command:
+            - /tmp/senlin-engine.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: senlin-bin
+              mountPath: /tmp/senlin-engine.sh
+              subPath: senlin-engine.sh
+              readOnly: true
+            - name: pod-etc-senlin
+              mountPath: /etc/senlin
+            - name: senlin-etc
+              mountPath: /etc/senlin/senlin.conf
+              subPath: senlin.conf
+              readOnly: true
+            {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+            - name: senlin-etc
+              mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: senlin-etc
+              mountPath: /etc/senlin/policy.yaml
+              subPath: policy.yaml
+              readOnly: true
+{{ if $mounts_senlin_engine.volumeMounts }}{{ toYaml $mounts_senlin_engine.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-senlin
+          emptyDir: {}
+        - name: senlin-bin
+          configMap:
+            name: senlin-bin
+            defaultMode: 0555
+        - name: senlin-etc
+          secret:
+            secretName: senlin-etc
+            defaultMode: 0444
+{{ if $mounts_senlin_engine.volumes }}{{ toYaml $mounts_senlin_engine.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/deployment-health-manager.yaml b/charts/senlin/templates/deployment-health-manager.yaml
new file mode 100644
index 0000000..e081c36
--- /dev/null
+++ b/charts/senlin/templates/deployment-health-manager.yaml
@@ -0,0 +1,102 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_health_manager }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_health_manager := .Values.pod.mounts.senlin_health_manager.senlin_health_manager }}
+{{- $mounts_senlin_health_manager_init := .Values.pod.mounts.senlin_health_manager.init_container }}
+
+{{- $serviceAccountName := "senlin-health-manager" }}
+{{ tuple $envAll "health_manager" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: senlin-health-manager
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+  labels:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.health_manager }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.health_manager.node_selector_key }}: {{ .Values.labels.health_manager.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "health_manager" $mounts_senlin_health_manager_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: senlin-health-manager
+{{ tuple $envAll "senlin_health_manager" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.senlin.uid }}
+          command:
+            - /tmp/senlin-health-manager.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: senlin-bin
+              mountPath: /tmp/senlin-health-manager.sh
+              subPath: senlin-health-manager.sh
+              readOnly: true
+            - name: pod-etc-senlin
+              mountPath: /etc/senlin
+            - name: senlin-etc
+              mountPath: /etc/senlin/senlin.conf
+              subPath: senlin.conf
+              readOnly: true
+            {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+            - name: senlin-etc
+              mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+              subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+              readOnly: true
+            {{- end }}
+            - name: senlin-etc
+              mountPath: /etc/senlin/policy.json
+              subPath: policy.json
+              readOnly: true
+{{ if $mounts_senlin_health_manager.volumeMounts }}{{ toYaml $mounts_senlin_health_manager.volumeMounts | indent 12 }}{{ end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: pod-etc-senlin
+          emptyDir: {}
+        - name: pod-var-cache-senlin
+          emptyDir: {}
+        - name: senlin-bin
+          configMap:
+            name: senlin-bin
+            defaultMode: 0555
+        - name: senlin-etc
+          secret:
+            secretName: senlin-etc
+            defaultMode: 0444
+{{ if $mounts_senlin_health_manager.volumes }}{{ toYaml $mounts_senlin_health_manager.volumes | indent 8 }}{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/templates/ingress-api.yaml b/charts/senlin/templates/ingress-api.yaml
new file mode 100644
index 0000000..f38bda6
--- /dev/null
+++ b/charts/senlin/templates/ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "clustering" "backendPort" "s-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-bootstrap.yaml b/charts/senlin/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..b50c6cd
--- /dev/null
+++ b/charts/senlin/templates/job-bootstrap.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "senlin" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.senlin.DEFAULT.log_config_append -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-db-drop.yaml b/charts/senlin/templates/job-db-drop.yaml
new file mode 100644
index 0000000..41735b4
--- /dev/null
+++ b/charts/senlin/templates/job-db-drop.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "senlin" -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-db-init.yaml b/charts/senlin/templates/job-db-init.yaml
new file mode 100644
index 0000000..47822ad
--- /dev/null
+++ b/charts/senlin/templates/job-db-init.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-db-sync.yaml b/charts/senlin/templates/job-db-sync.yaml
new file mode 100644
index 0000000..7e5f0ba
--- /dev/null
+++ b/charts/senlin/templates/job-db-sync.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "senlin" "podVolMounts" .Values.pod.mounts.senlin_db_sync.senlin_db_sync.volumeMounts "podVols" .Values.pod.mounts.senlin_db_sync.senlin_db_sync.volumes -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-image-repo-sync.yaml b/charts/senlin/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..d5b87b1
--- /dev/null
+++ b/charts/senlin/templates/job-image-repo-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-ks-endpoints.yaml b/charts/senlin/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..8c8b2e3
--- /dev/null
+++ b/charts/senlin/templates/job-ks-endpoints.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-ks-service.yaml b/charts/senlin/templates/job-ks-service.yaml
new file mode 100644
index 0000000..0012d88
--- /dev/null
+++ b/charts/senlin/templates/job-ks-service.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-ks-user.yaml b/charts/senlin/templates/job-ks-user.yaml
new file mode 100644
index 0000000..aa86dc1
--- /dev/null
+++ b/charts/senlin/templates/job-ks-user.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-rabbit-init.yaml b/charts/senlin/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..eca7f03
--- /dev/null
+++ b/charts/senlin/templates/job-rabbit-init.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/senlin/templates/network_policy.yaml b/charts/senlin/templates/network_policy.yaml
new file mode 100644
index 0000000..0066c79
--- /dev/null
+++ b/charts/senlin/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "senlin" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/senlin/templates/pdb-api.yaml b/charts/senlin/templates/pdb-api.yaml
new file mode 100644
index 0000000..15a2a45
--- /dev/null
+++ b/charts/senlin/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: senlin-api
+spec:
+  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/senlin/templates/pod-test.yaml b/charts/senlin/templates/pod-test.yaml
new file mode 100644
index 0000000..05a65cf
--- /dev/null
+++ b/charts/senlin/templates/pod-test.yaml
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_test }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_tests := .Values.pod.mounts.senlin_tests.senlin_tests }}
+{{- $mounts_senlin_tests_init := .Values.pod.mounts.senlin_tests.init_container }}
+
+{{- $serviceAccountName := print .Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{.Release.Name}}-test"
+  labels:
+{{ tuple $envAll "senlin" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  serviceAccountName: {{ $serviceAccountName }}
+  nodeSelector:
+    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+  restartPolicy: Never
+  initContainers:
+{{ tuple $envAll "tests" $mounts_senlin_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+  containers:
+    - name: {{.Release.Name}}-senlin-test
+{{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+      env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+      command:
+        - /tmp/senlin-test.sh
+      volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
+        - name: senlin-bin
+          mountPath: /tmp/senlin-test.sh
+          subPath: senlin-test.sh
+          readOnly: true
+{{ if $mounts_senlin_tests.volumeMounts }}{{ toYaml $mounts_senlin_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: pod-tmp
+      emptyDir: {}
+    - name: senlin-bin
+      configMap:
+        name: senlin-bin
+        defaultMode: 0555
+{{ if $mounts_senlin_tests.volumes }}{{ toYaml $mounts_senlin_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/secret-db.yaml b/charts/senlin/templates/secret-db.yaml
new file mode 100644
index 0000000..0e3e472
--- /dev/null
+++ b/charts/senlin/templates/secret-db.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "senlin" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/templates/secret-keystone.yaml b/charts/senlin/templates/secret-keystone.yaml
new file mode 100644
index 0000000..4a553ea
--- /dev/null
+++ b/charts/senlin/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "senlin" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/templates/secret-rabbitmq.yaml b/charts/senlin/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..a7390c6
--- /dev/null
+++ b/charts/senlin/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "senlin" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/templates/service-api.yaml b/charts/senlin/templates/service-api.yaml
new file mode 100644
index 0000000..e4e3787
--- /dev/null
+++ b/charts/senlin/templates/service-api.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "clustering" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: s-api
+      port: {{ tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{ if .Values.network.api.node_port.enabled }}
+      nodePort: {{ .Values.network.api.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.api.node_port.enabled }}
+  type: NodePort
+  {{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/service-ingress-api.yaml b/charts/senlin/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..5f8d9cf
--- /dev/null
+++ b/charts/senlin/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "clustering" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/senlin/values.yaml b/charts/senlin/values.yaml
new file mode 100644
index 0000000..b245bd3
--- /dev/null
+++ b/charts/senlin/values.yaml
@@ -0,0 +1,749 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for senlin.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  conductor:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  engine:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  health_manager:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+release_group: null
+
+images:
+  tags:
+    scripted_test: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    senlin_db_sync: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    rabbit_init: docker.io/rabbitmq:3.7-management
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    senlin_api: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+    senlin_conductor: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+    senlin_engine: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+    senlin_engine_cleaner: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+    senlin_health_manager: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: "IfNotPresent"
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+jobs:
+  engine_cleaner:
+    cron: "*/5 * * * *"
+    history:
+      success: 3
+      failed: 1
+
+conf:
+  rally_tests:
+    run_tempest: false
+    tests:
+      SenlinClusters.create_and_delete_cluster:
+        - args:
+            desired_capacity: 3
+            min_size: 0
+            max_size: 5
+          runner:
+            concurrency: 1
+            times: 1
+            type: constant
+          sla:
+            failure_rate:
+              max: 0
+          context:
+            profiles:
+              type: os.nova.server
+              version: "1.0"
+              properties:
+                name: cirros_server
+                flavor: 689eeda3-c6cd-450f-b000-58025c783763
+                image: df0c1a14-0940-4ae5-be5c-bb06aa407da2
+                networks:
+                  - network: public
+  paste:
+    pipeline:senlin-api:
+      pipeline: request_id faultwrap ssl versionnegotiation webhook authtoken context trust apiv1app
+    app:apiv1app:
+      paste.app_factory: senlin.api.common.wsgi:app_factory
+      senlin.app_factory: senlin.api.openstack.v1.router:API
+    filter:request_id:
+      paste.filter_factory: oslo_middleware.request_id:RequestId.factory
+    filter:faultwrap:
+      paste.filter_factory: senlin.api.common.wsgi:filter_factory
+      senlin.filter_factory: senlin.api.middleware:fault_filter
+    filter:context:
+      paste.filter_factory: senlin.api.common.wsgi:filter_factory
+      senlin.filter_factory: senlin.api.middleware:context_filter
+    filter:ssl:
+      paste.filter_factory: oslo_middleware.ssl:SSLMiddleware.factory
+    filter:versionnegotiation:
+      paste.filter_factory: senlin.api.common.wsgi:filter_factory
+      senlin.filter_factory: senlin.api.middleware:version_filter
+    filter:trust:
+      paste.filter_factory: senlin.api.common.wsgi:filter_factory
+      senlin.filter_factory: senlin.api.middleware:trust_filter
+    filter:webhook:
+      paste.filter_factory: senlin.api.common.wsgi:filter_factory
+      senlin.filter_factory: senlin.api.middleware:webhook_filter
+    filter:authtoken:
+      paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+  policy:
+    context_is_admin: role:admin
+    deny_everybody: "!"
+    build_info:build_info: ''
+    profile_types:index: ''
+    profile_types:get: ''
+    policy_types:index: ''
+    policy_types:get: ''
+    clusters:index: ''
+    clusters:create: ''
+    clusters:delete: ''
+    clusters:get: ''
+    clusters:action: ''
+    clusters:update: ''
+    clusters:collect: ''
+    profiles:index: ''
+    profiles:create: ''
+    profiles:get: ''
+    profiles:delete: ''
+    profiles:update: ''
+    profiles:validate: ''
+    nodes:index: ''
+    nodes:create: ''
+    nodes:get: ''
+    nodes:action: ''
+    nodes:update: ''
+    nodes:delete: ''
+    policies:index: ''
+    policies:create: ''
+    policies:get: ''
+    policies:update: ''
+    policies:delete: ''
+    policies:validate: ''
+    cluster_policies:index: ''
+    cluster_policies:attach: ''
+    cluster_policies:detach: ''
+    cluster_policies:update: ''
+    cluster_policies:get: ''
+    receivers:index: ''
+    receivers:create: ''
+    receivers:get: ''
+    receivers:delete: ''
+    actions:index: ''
+    actions:get: ''
+    events:index: ''
+    events:get: ''
+    webhooks:trigger: ''
+  senlin:
+    DEFAULT:
+      log_config_append: /etc/senlin/logging.conf
+      transport_url: null
+      host: senlin
+    database:
+      max_retries: -1
+    authentication:
+      auth_url: null
+    keystone_authtoken:
+      auth_type: password
+      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+    senlin_api:
+      # NOTE(portdirect): the bind port should not be defined, and is manipulated
+      # via the endpoints section.
+      bind_port: null
+    oslo_policy:
+      policy_file: /etc/senlin/policy.yaml
+  logging:
+    loggers:
+      keys:
+        - root
+        - senlin
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_senlin:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: senlin
+    logger_amqp:
+      level: WARNING
+      handlers: stderr
+      qualname: amqp
+    logger_amqplib:
+      level: WARNING
+      handlers: stderr
+      qualname: amqplib
+    logger_eventletwsgi:
+      level: WARNING
+      handlers: stderr
+      qualname: eventlet.wsgi.server
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    logger_boto:
+      level: WARNING
+      handlers: stderr
+      qualname: boto
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+      datefmt: "%Y-%m-%d %H:%M:%S"
+    formatter_default:
+      format: "%(message)s"
+      datefmt: "%Y-%m-%d %H:%M:%S"
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    node_port:
+      enabled: false
+      port: 30778
+
+bootstrap:
+  enabled: false
+  ks_user: senlin
+  script: |
+    openstack token issue
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - senlin-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    engine_cleaner:
+      jobs:
+        - senlin-db-sync
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: oslo_messaging
+        - endpoint: internal
+          service: identity
+    api:
+      jobs:
+        - senlin-db-sync
+        - senlin-ks-user
+        - senlin-ks-endpoints
+        - senlin-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: oslo_messaging
+    db_drop:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_init:
+      services:
+        - endpoint: internal
+          service: oslo_db
+    db_sync:
+      jobs:
+        - senlin-db-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+    engine:
+      jobs:
+        - senlin-db-sync
+        - senlin-ks-user
+        - senlin-ks-endpoints
+        - senlin-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    conductor:
+      jobs:
+        - senlin-db-sync
+        - senlin-ks-user
+        - senlin-ks-endpoints
+        - senlin-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    health_manager:
+      jobs:
+        - senlin-db-sync
+        - senlin-ks-user
+        - senlin-ks-endpoints
+        - senlin-rabbit-init
+      services:
+        - endpoint: internal
+          service: oslo_db
+        - endpoint: internal
+          service: identity
+    ks_endpoints:
+      jobs:
+        - senlin-ks-service
+      services:
+        - endpoint: internal
+          service: identity
+    ks_service:
+      services:
+        - endpoint: internal
+          service: identity
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+    rabbit_init:
+      services:
+        - endpoint: internal
+          service: oslo_messaging
+    tests:
+      services:
+        - endpoint: internal
+          service: identity
+        - endpoint: internal
+          service: clustering
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  identity:
+    admin: senlin-keystone-admin
+    senlin: senlin-keystone-user
+  oslo_db:
+    admin: senlin-db-admin
+    senlin: senlin-db-user
+  oslo_messaging:
+    admin: senlin-rabbitmq-admin
+    senlin: senlin-rabbitmq-user
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+      senlin:
+        role: admin
+        region_name: RegionOne
+        username: senlin
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
+      test:
+        role: admin
+        region_name: RegionOne
+        username: senlin-test
+        password: password
+        project_name: test
+        user_domain_name: service
+        project_domain_name: service
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  clustering:
+    name: senlin
+    hosts:
+      default: senlin-api
+      public: senlin
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: http
+    port:
+      api:
+        default: 8778
+        public: 80
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+      senlin:
+        username: senlin
+        password: password
+    hosts:
+      default: mariadb
+    host_fqdn_override:
+      default: null
+    path: /senlin
+    scheme: mysql+pymysql
+    port:
+      mysql:
+        default: 3306
+  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
+    hosts:
+      default: memcached
+    host_fqdn_override:
+      default: null
+    port:
+      memcache:
+        default: 11211
+  oslo_messaging:
+    auth:
+      admin:
+        username: rabbitmq
+        password: password
+      senlin:
+        username: senlin
+        password: password
+    statefulset:
+      replicas: 2
+      name: rabbitmq-rabbitmq
+    hosts:
+      default: rabbitmq
+    host_fqdn_override:
+      default: null
+    path: /senlin
+    scheme: rabbit
+    port:
+      amqp:
+        default: 5672
+      http:
+        default: 15672
+  fluentd:
+    namespace: null
+    name: fluentd
+    hosts:
+      default: fluentd-logging
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: 'http'
+    port:
+      service:
+        default: 24224
+      metrics:
+        default: 24220
+
+pod:
+  user:
+    senlin:
+      uid: 42424
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+      weight:
+        default: 10
+  mounts:
+    senlin_api:
+      init_container: null
+      senlin_api:
+        volumeMounts:
+        volumes:
+    senlin_conductor:
+      init_container: null
+      senlin_conductor:
+        volumeMounts:
+        volumes:
+    senlin_engine:
+      init_container: null
+      senlin_engine:
+        volumeMounts:
+        volumes:
+    senlin_health_manager:
+      init_container: null
+      senlin_health_manager:
+        volumeMounts:
+        volumes:
+    senlin_bootstrap:
+      init_container: null
+      senlin_bootstrap:
+        volumeMounts:
+        volumes:
+    senlin_engine_cleaner:
+      init_container: null
+      senlin_engine_cleaner:
+        volumeMounts:
+        volumes:
+    senlin_tests:
+      init_container: null
+      senlin_tests:
+        volumeMounts:
+        volumes:
+    senlin_db_sync:
+      senlin_db_sync:
+        volumeMounts:
+        volumes:
+  replicas:
+    api: 1
+    conductor: 1
+    engine: 1
+    health_manager: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+    disruption_budget:
+      api:
+        min_available: 0
+    termination_grace_period:
+      api:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    conductor:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    engine:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    health_manager:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      bootstrap:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      db_drop:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_service:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      ks_user:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      rabbit_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      engine_cleaner:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+network_policy:
+  senlin:
+    ingress:
+      - {}
+    egress:
+      - {}
+
+helm3_hook: true
+
+manifests:
+  configmap_bin: true
+  configmap_etc: true
+  cron_job_engine_cleaner: true
+  deployment_api: true
+  deployment_conductor: true
+  deployment_engine: true
+  deployment_health_manager: true
+  ingress_api: true
+  job_bootstrap: true
+  job_db_init: true
+  job_db_sync: true
+  job_db_drop: false
+  job_image_repo_sync: true
+  job_ks_endpoints: true
+  job_ks_service: true
+  job_ks_user: true
+  job_rabbit_init: true
+  pdb_api: true
+  pod_test: true
+  network_policy: false
+  secret_db: true
+  secret_keystone: true
+  secret_rabbitmq: true
+  service_ingress_api: true
+  service_api: true
+...
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index 1f473b6..eddc2e3 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -23,19 +23,9 @@
 # Determine the root path for Atmosphere
 ATMOSPHERE="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." >/dev/null 2>&1 && pwd )"
 
-# Create work directory to avoid cluttering up workspace
-WORKDIR=$(mktemp -d)
-function cleanup {
-  rm -rfv ${WORKDIR}
-}
-trap cleanup EXIT
-
 # Clean-up all of the existing charts
 rm -rfv ${ATMOSPHERE}/charts/*
 
-# Switch to folder where we will be syncing charts
-pushd ${WORKDIR}
-
 CILIUM_VERSION=1.10.7
 curl -sL https://helm.cilium.io/cilium-${CILIUM_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
@@ -76,5 +66,70 @@
 curl -sL https://github.com/coredns/helm/releases/download/coredns-${COREDNS_VERSION}/coredns-${COREDNS_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-# Switch back to original directory
-popd
+MEMCACHED_VERSION=0.1.12
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/memcached-${MEMCACHED_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+KEYSTONE_VERSION=0.2.19
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/keystone-${KEYSTONE_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+BARBICAN_VERSION=0.2.12
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/barbican-${BARBICAN_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+CEPH_PROVISIONERS_VERSION=0.1.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/ceph-provisioners-${CEPH_PROVISIONERS_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+GLANCE_VERSION=0.4.1
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/glance-${GLANCE_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+CINDER_VERSION=0.2.25
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/cinder-${CINDER_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+PLACEMENT_VERSION=0.2.10
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/placement-${PLACEMENT_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+OPEN_VSWITCH_VERSION=0.1.10
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/openvswitch-${OPEN_VSWITCH_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+LIBVIRT_VERSION=0.1.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/libvirt-${LIBVIRT_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+NEUTRON_VERSION=0.3.2
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/neutron-${NEUTRON_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+NOVA_VERISON=0.2.32
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/nova-${NOVA_VERISON}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+SENLIN_VERSION=0.2.6
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/senlin-${SENLIN_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+DESIGNATE_VERSION=0.2.7
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/designate-${DESIGNATE_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+HEAT_VERSION=0.2.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/heat-${HEAT_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+OCTAVIA_VERSION=0.2.5
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/octavia-${OCTAVIA_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+MAGNUM_VERSION=0.2.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/magnum-${MAGNUM_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts
+
+HORIZON_VERSION=0.2.24
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/horizon-${HORIZON_VERSION}.tgz \
+  | tar -xz -C ${ATMOSPHERE}/charts