diff --git a/doc/source/install/setup_openstack_client.rst b/doc/source/install/setup_openstack_client.rst
index d39d402220..58726b3c2f 100644
--- a/doc/source/install/setup_openstack_client.rst
+++ b/doc/source/install/setup_openstack_client.rst
@@ -15,7 +15,7 @@ client.
     cd ~/osh/openstack-helm
     ./tools/deployment/common/setup-client.sh
 
-At this point you have to keep in mind that the above script configures
+Please keep in mind that the above script configures
 OpenStack client so it uses internal Kubernetes FQDNs like
 `keystone.openstack.svc.cluster.local`. In order to be able to resolve these
 internal names you have to configure the Kubernetes authoritative DNS server
@@ -31,5 +31,26 @@ from outside the Kubernetes cluster, typically achieved through solutions like
 have set up proper FQDN resolution to map to the external IP address and
 create the necessary Ingress objects for the associated FQDN.
 
+It is also important to note that the above script does not actually installs
+the Openstack client package on the host but instead it creates a bash
+script `/usr/local/bin/openstack` that runs the Openstack client in a
+Docker container. If you need to pass extra command line parameters to the
+`docker run` command use the environment variable
+`OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS`. For example if you need to mount a
+directory from the host file system, you can do the following
+
+.. code-block:: bash
+
+    export OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS="-v /data:/data"
+    /usr/local/bin/openstack <subcommand> <options>
+
+Remember that the container file system is ephemeral and is destroyed
+when you stop the container. So if you would like to use the
+Openstack client capabilities interfacing with the file system then you have to mount
+a directory from the host file system where you will read/write necessary files.
+For example, this is useful when you create a key pair and save the private key in a file
+which is then used for ssh access to VMs. Or it could be Heat recipes
+which you prepare in advance and then use with Openstack client.
+
 .. _setup-client.sh: https://opendev.org/openstack/openstack-helm/src/branch/master/tools/deployment/common/setup-client.sh
 .. _MetalLB: https://metallb.universe.tf
diff --git a/tools/deployment/common/prepare-k8s.sh b/tools/deployment/common/prepare-k8s.sh
index 6cf7083f30..f1146a9b6f 100755
--- a/tools/deployment/common/prepare-k8s.sh
+++ b/tools/deployment/common/prepare-k8s.sh
@@ -47,4 +47,9 @@ EOF
 kubectl apply -f /tmp/${NAMESPACE}-ns.yaml
 done
 
+#NOTE: Build helm-toolkit, most charts depend on helm-toolkit
+export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm-infra"}"}"
+make -C ${HELM_CHART_ROOT_PATH} helm-toolkit
+
+# Build all charts
 make all
diff --git a/tools/deployment/common/setup-client.sh b/tools/deployment/common/setup-client.sh
index b870d4c6dc..2b4ce4245d 100755
--- a/tools/deployment/common/setup-client.sh
+++ b/tools/deployment/common/setup-client.sh
@@ -14,13 +14,6 @@
 
 set -xe
 
-sudo -H -E pip3 install --upgrade pip
-sudo -H -E pip3 install \
-  -c${UPPER_CONSTRAINTS_FILE:=https://releases.openstack.org/constraints/upper/${OPENSTACK_RELEASE:-xena}} \
-  cmd2 python-openstackclient python-heatclient --ignore-installed
-
-export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm-infra"}"}"
-
 sudo -H mkdir -p /etc/openstack
 sudo -H chown -R $(id -un): /etc/openstack
 FEATURE_GATE="tls"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GATE}($|[[:space:]]) ]]; then
@@ -54,5 +47,18 @@ else
 EOF
 fi
 
-#NOTE: Build helm-toolkit, most charts depend on helm-toolkit
-make -C ${HELM_CHART_ROOT_PATH} helm-toolkit
+sudo tee /usr/local/bin/openstack << EOF
+#!/bin/bash
+args=("\$@")
+
+sudo docker run \\
+    --rm \\
+    --network host \\
+    -w / \\
+    -v /etc/openstack/clouds.yaml:/etc/openstack/clouds.yaml \\
+    -v /etc/openstack-helm:/etc/openstack-helm \\
+    -e OS_CLOUD=\${OS_CLOUD} \\
+    \${OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS} \\
+    docker.io/openstackhelm/openstack-client:\${OPENSTACK_RELEASE:-2023.2} openstack "\${args[@]}"
+EOF
+sudo chmod +x /usr/local/bin/openstack
diff --git a/tools/deployment/common/use-it.sh b/tools/deployment/common/use-it.sh
index afd75e5a99..448b7732ee 100755
--- a/tools/deployment/common/use-it.sh
+++ b/tools/deployment/common/use-it.sh
@@ -15,6 +15,19 @@ set -xe
 
 export OS_CLOUD=openstack_helm
 
+: ${HEAT_DIR:="$(readlink -f ./tools/deployment/common)"}
+: ${SSH_DIR:="${HOME}/.ssh"}
+
+if [[ -n ${HEAT_DIR} ]]; then
+  OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS="${OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS} -v ${HEAT_DIR}:${HEAT_DIR}"
+fi
+
+if [[ -n ${SSH_DIR} ]]; then
+  OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS="${OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS} -v ${SSH_DIR}:${SSH_DIR}"
+fi
+
+export OPENSTACK_CLIENT_CONTAINER_EXTRA_ARGS
+
 : ${OSH_EXT_NET_NAME:="public"}
 : ${OSH_EXT_SUBNET_NAME:="public-subnet"}
 : ${OSH_EXT_SUBNET:="172.24.4.0/24"}
@@ -26,7 +39,7 @@ openstack stack show "heat-public-net-deployment" || \
     --parameter subnet_name=${OSH_EXT_SUBNET_NAME} \
     --parameter subnet_cidr=${OSH_EXT_SUBNET} \
     --parameter subnet_gateway=${OSH_BR_EX_ADDR%/*} \
-    -t ./tools/deployment/common/heat-public-net-deployment.yaml \
+    -t ${HEAT_DIR}/heat-public-net-deployment.yaml \
     heat-public-net-deployment
 
 : ${OSH_PRIVATE_SUBNET_POOL:="10.0.0.0/8"}
@@ -37,7 +50,7 @@ openstack stack show "heat-subnet-pool-deployment" || \
     --parameter subnet_pool_name=${OSH_PRIVATE_SUBNET_POOL_NAME} \
     --parameter subnet_pool_prefixes=${OSH_PRIVATE_SUBNET_POOL} \
     --parameter subnet_pool_default_prefix_length=${OSH_PRIVATE_SUBNET_POOL_DEF_PREFIX} \
-    -t ./tools/deployment/common/heat-subnet-pool-deployment.yaml \
+    -t ${HEAT_DIR}/heat-subnet-pool-deployment.yaml \
     heat-subnet-pool-deployment
 
 : ${OSH_EXT_NET_NAME:="public"}
@@ -50,12 +63,12 @@ IMAGE_NAME=$(openstack image show -f value -c name \
     grep "^\"Cirros" | head -1 | awk -F ',' '{ print $2 }' | tr -d '"'))
 
 # Setup SSH Keypair in Nova
-mkdir -p ${HOME}/.ssh
-
+mkdir -p ${SSH_DIR}
 
 openstack keypair show "${OSH_VM_KEY_STACK}" || \
-  openstack keypair create --private-key ${HOME}/.ssh/osh_key ${OSH_VM_KEY_STACK}
-chmod 600 ${HOME}/.ssh/osh_key
+  openstack keypair create --private-key ${SSH_DIR}/osh_key ${OSH_VM_KEY_STACK}
+sudo chown $(id -un) ${SSH_DIR}/osh_key
+chmod 600 ${SSH_DIR}/osh_key
 
 openstack stack show "heat-basic-vm-deployment" || \
   openstack stack create --wait \
@@ -64,7 +77,7 @@ openstack stack show "heat-basic-vm-deployment" || \
       --parameter ssh_key=${OSH_VM_KEY_STACK} \
       --parameter cidr=${OSH_PRIVATE_SUBNET} \
       --parameter dns_nameserver=${OSH_BR_EX_ADDR%/*} \
-      -t ./tools/deployment/common/heat-basic-vm-deployment.yaml \
+      -t ${HEAT_DIR}/heat-basic-vm-deployment.yaml \
       heat-basic-vm-deployment
 
 FLOATING_IP=$(openstack stack output show \
@@ -104,13 +117,13 @@ EOF
 # note: ssh-keyscan should be re-enabled to prevent skip host key checking
 #   ssh-keyscan does not use ssh_config so ignore host key checking for now
 #ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts
-ssh -o "StrictHostKeyChecking no" -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
+ssh -o "StrictHostKeyChecking no" -i ${SSH_DIR}/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
 
 # Check the VM can reach the metadata server
-ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254
+ssh -i ${SSH_DIR}/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254
 
 # Check the VM can reach the keystone server
-ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 keystone.openstack.svc.cluster.local
+ssh -i ${SSH_DIR}/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 keystone.openstack.svc.cluster.local
 
 # Check to see if cinder has been deployed, if it has then perform a volume attach.
 if openstack service list -f value -c Type | grep -q "^volume"; then
@@ -121,18 +134,18 @@ if openstack service list -f value -c Type | grep -q "^volume"; then
 
   # Get the devices that are present on the instance
   DEVS_PRE_ATTACH=$(mktemp)
-  ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} lsblk > ${DEVS_PRE_ATTACH}
+  ssh -i ${SSH_DIR}/osh_key cirros@${FLOATING_IP} lsblk > ${DEVS_PRE_ATTACH}
 
   openstack stack list show "heat-vm-volume-attach" || \
   # Create and attach a block device to the instance
     openstack stack create --wait \
       --parameter instance_uuid=${INSTANCE_ID} \
-      -t ./tools/deployment/common/heat-vm-volume-attach.yaml \
+      -t ${HEAT_DIR}/heat-vm-volume-attach.yaml \
       heat-vm-volume-attach
 
   # Get the devices that are present on the instance
   DEVS_POST_ATTACH=$(mktemp)
-  ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} lsblk > ${DEVS_POST_ATTACH}
+  ssh -i ${SSH_DIR}/osh_key cirros@${FLOATING_IP} lsblk > ${DEVS_POST_ATTACH}
 
   # Check that we have the expected number of extra devices on the instance post attach
   if ! [ "$(comm -13 ${DEVS_PRE_ATTACH} ${DEVS_POST_ATTACH} | wc -l)" -eq "1" ]; then
diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml
index 72254ec9ae..88364f06bd 100644
--- a/zuul.d/base.yaml
+++ b/zuul.d/base.yaml
@@ -60,6 +60,7 @@
       helm_version: "v3.6.3"
       yq_version: "v4.6.0"
       crictl_version: "v1.26.1"
+      zuul_osh_relative_path: ../openstack-helm
       zuul_osh_infra_relative_path: ../openstack-helm-infra
       gate_scripts_relative_path: ../openstack-helm
       run_helm_tests: "no"