diff --git a/mcapi_vexxhost/playbooks/bootstrap.yml b/mcapi_vexxhost/playbooks/bootstrap.yml
new file mode 100644
index 00000000..0b799a99
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/bootstrap.yml
@@ -0,0 +1,7 @@
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Copy configuration files into place
+      ansible.builtin.copy:
+        src: '.'
+        dest: '/etc/'
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/conf.d/k8s.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/conf.d/k8s.yml
new file mode 100644
index 00000000..3e2d3a72
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/conf.d/k8s.yml
@@ -0,0 +1,3 @@
+cluster-api_hosts:
+  aio1:
+    ip: 172.29.236.100
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/env.d/k8s.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/env.d/k8s.yml
new file mode 100644
index 00000000..c27f6dea
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/env.d/k8s.yml
@@ -0,0 +1,20 @@
+---
+component_skel:
+  k8s_capi:
+    belongs_to:
+      - k8s_all
+
+container_skel:
+  k8s_container:
+    belongs_to:
+      - cluster-api_containers
+    contains:
+      - k8s_capi
+
+physical_skel:
+  cluster-api_containers:
+    belongs_to:
+      - all_containers
+  cluster-api_hosts:
+    belongs_to:
+      - hosts
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/haproxy_service.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/haproxy_service.yml
new file mode 100644
index 00000000..f73555c4
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/haproxy_service.yml
@@ -0,0 +1,43 @@
+---
+# Copyright 2023, BBC R&D
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+haproxy_k8s_service:
+  haproxy_service_name: k8s
+  haproxy_backend_nodes: "{{ groups['k8s_all'] | default([]) }}"
+  haproxy_ssl: false
+  haproxy_ssl_all_vips: false
+  haproxy_port: 6443
+  haproxy_balance_type: tcp
+  haproxy_balance_alg: leastconn
+  haproxy_interval: '15000'
+  haproxy_backend_port: 6443
+  haproxy_backend_rise: 2
+  haproxy_backend_fall: 2
+  haproxy_timeout_server: '15m'
+  haproxy_timeout_client: '5m'
+  haproxy_backend_options:
+    - tcplog
+    - ssl-hello-chk
+    - log-health-checks
+    - httpchk GET /healthz
+  haproxy_backend_httpcheck_options:
+    - 'send hdr User-Agent "osa-haproxy-healthcheck" meth GET uri /healthz'
+  haproxy_backend_server_options:
+    - check-ssl
+    - verify none
+  haproxy_service_enabled: "{{ groups['k8s_all'] is defined and groups['k8s_all'] | length > 0 }}"
+
+k8s_haproxy_services:
+  - "{{ haproxy_k8s_service | combine(haproxy_k8s_service_overrides | default({})) }}"
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml
new file mode 100644
index 00000000..43bf045c
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml
@@ -0,0 +1,6 @@
+lxc_container_config_list:
+  - "lxc.apparmor.profile=unconfined"
+
+lxc_container_mount_auto:
+  - "proc:rw"
+  - "sys:rw"
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/user-ansible-venv-requirements.txt b/mcapi_vexxhost/playbooks/files/openstack_deploy/user-ansible-venv-requirements.txt
new file mode 100644
index 00000000..9e41ab05
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/user-ansible-venv-requirements.txt
@@ -0,0 +1,2 @@
+docker-image-py
+kubernetes
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/user-collection-requirements.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/user-collection-requirements.yml
new file mode 100644
index 00000000..3f1a36f1
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/user-collection-requirements.yml
@@ -0,0 +1,9 @@
+collections:
+  - name: vexxhost.kubernetes
+    source: https://github.com/jrosser/ansible-collection-kubernetes
+    type: git
+    version: synchronize
+  - name: osa_ops.mcapi_vexxhost
+    type: git
+    version: master
+    source: https://opendev.org/openstack/openstack-ansible-ops#/mcapi_vexxhost
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_k8s.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_k8s.yml
new file mode 100644
index 00000000..5587921f
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_k8s.yml
@@ -0,0 +1,16 @@
+# wire OSA group, host and network addresses into k8s deployment
+kubernetes_control_plane_group: k8s_container
+kubelet_hostname: "{{ ansible_facts['hostname'] }}"
+kubelet_node_ip: "{{ management_address }}"
+kubernetes_hostname: "{{ internal_lb_vip_address }}"
+kubernetes_non_init_namespace: true
+
+# Pick a range of addresses for cilium that do not collide with anything else
+cilium_ipv4_cidr: 172.29.200.0/22
+
+# Set this manually, or kube-proxy will try to do this - not possible
+# in a non-init namespace and will fail in LXC
+openstack_host_nf_conntrack_max: 1572864
+
+# OSA containers dont run ssh by default so cannot use synchronize
+upload_helm_chart_method: copy
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_tempest.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_tempest.yml
new file mode 100644
index 00000000..a3c507d7
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_tempest.yml
@@ -0,0 +1 @@
+tempest_install_method: "none"
\ No newline at end of file
diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml
new file mode 100644
index 00000000..6180a893
--- /dev/null
+++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml
@@ -0,0 +1,69 @@
+---
+# Copyright 2020, VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# install the vexxhost magnum-cluster-api plugin into the magnum venv
+# TODO - this is tip of the branch with CA fixes
+# WARNING - this always installs the most recent release rather than the tip of main
+magnum_user_pip_packages:
+  - git+https://github.com/vexxhost/magnum-cluster-api@main#egg=magnum-cluster-api
+  - kubernetes
+
+# ensure that the internal VIP CA is trusted by the CAPI driver
+# TODO - this is too hardwired somehow
+magnum_config_overrides:
+  drivers:
+    openstack_ca_file: '/usr/local/share/ca-certificates/ExampleCorpRoot.crt'
+  capi_client:
+    ca_file: '/usr/local/share/ca-certificates/ExampleCorpRoot.crt'
+    endpoint: 'internalURL'
+  cluster_template:
+    kubernetes_allowed_network_drivers: 'calico'
+    kubernetes_default_network_driver: 'calico'
+  certificates:
+    cert_manager_type: x509keypair
+
+magnum_glance_images:
+  - disk_format: qcow2
+    distro: ubuntu
+    file: https://object-storage.public.mtl1.vexxhost.net/swift/v1/a91f106f55e64246babde7402c21b87a/magnum-capi/ubuntu-2204-kube-v1.23.17.qcow2
+    image_format: bare
+    name: ubuntu-2204-kube-v1.23.17
+    public: true
+
+# NOTE(jrosser) the cluster template cannot be created until the k8s credentials are dropped
+# in the magnum container, so we must leave this till later
+magnum_cluster_templates: []
+
+magnum_flavors:
+  - cloud: default
+    disk: 40
+    name: m1.medium
+    ram: 4096
+    vcpus: 2
+
+tempest_test_includelist:
+  - magnum_tempest_plugin.tests
+
+
+# NOTE(noonedeadpunk): We comment these tests out because of weird magnum things happening like
+# http://paste.openstack.org/show/790131/
+# But when "b''" around auth toke is dropped, everything is fine.
+tempest_test_excludelist:
+  - magnum_tempest_plugin.tests.api.v1.test_cluster.ClusterTest.test_create_list_sign_delete_clusters
+  - magnum_tempest_plugin.tests.api.v1.test_cluster.ClusterTest.test_create_cluster_with_nonexisting_flavor
+  - magnum_tempest_plugin.tests.api.v1.test_cluster.ClusterTest.test_create_cluster_with_zero_nodes
+
+tempest_tempest_conf_overrides_magnum:
+  magnum: